GitHub hit by malicious VS Code extension

GitHub said on May 20 that attackers exfiltrated internal repositories after compromising an employee device through a poisoned Visual Studio Code extension published by a third party. Chief Information Security Officer Alexis Wales said the company detected and contained the compromise on Monday, May 18, removed the malicious extension version, isolated the endpoint and began incident response immediately. GitHub said its current assessment is that the activity involved GitHub-internal repositories only, and that it has no evidence of impact to customer enterprises, organizations or repositories stored outside those internal systems. ### How did the breach get into GitHub’s environment? GitHub said the initial access came through a poisoned VS Code extension installed on an employee device, not through a flaw in GitHub’s platform. Wales said the company detected the compromise on May 18 and moved to contain it the same day. GitHub has not, in its own brief statement, named the extension in the post. (github.blog) Nx, the maintainer of the Nx Console extension, published a security advisory on May 18 saying version 18.95.0 of Nx Console for VS Code was compromised. The advisory said that version was available from 2:36 p.m. CEST until 2:47 p.m. CEST, and told anyone who had VS Code running with Nx Console and auto-update enabled during that window to assume compromise. Nx said users should immediately update to version 18.100.0. (github.blog) ### What exactly did GitHub say was taken? GitHub said the attacker’s claim of about 3,800 repositories was “directionally consistent” with its investigation so far. The company said the repositories affected were GitHub-owned internal repositories, and said it has no evidence that customer repositories outside GitHub’s internal environment were affected. (github.com) Alexis Wales also said some GitHub internal repositories contain customer information, including excerpts of support interactions. GitHub said that if it discovers customer impact, it will notify customers through its established incident response and notification channels. ### Why are Nx users being told to rotate everything on disk? Nx said in its advisory that anyone exposed to the compromised release should assume “anything on disk needs to be rotated.” The advisory specifically listed tokens, secrets and SSH keys. (github.blog) Nx also said it hardened its publishing pipeline so that two admins now need to approve a release, replacing a process in which any core contributor could release a new VS Code version. Nx said the compromise stemmed from a recent supply-chain attack that scraped one contributor’s GitHub token. The company said it was working with Microsoft and GitHub on the investigation. ### Was this limited to GitHub, or part of a wider supply-chain chain reaction? BleepingComputer reported on May 21 that GitHub linked the repository breach to the earlier TanStack npm supply-chain attack and said the poisoned extension was Nx Console. (github.com) That report attributed the activity to the TeamPCP threat group. GitHub’s own May 20 statement did not include that attribution, so that connection remains based on subsequent reporting rather than the company’s initial disclosure. The Nx advisory itself supports part of that chain by saying a contributor’s GitHub token was scraped in a recent supply-chain attack and then used in the extension compromise. ### What happens next for GitHub and affected developers? GitHub said it rotated critical secrets on Monday and into Tuesday, prioritizing the highest-impact credentials first. Wales said the company is still analyzing logs, validating secret rotation and monitoring its infrastructure for follow-on activity. (bleepingcomputer.com) GitHub also said it will publish a fuller report when the investigation is complete. (github.com) Nx said developers who might have received version 18.95.0 should move to 18.100.0 and treat local credentials as compromised. The company’s public advisory remains the main reference point for affected extension users while GitHub’s broader incident review continues. (github.com) (github.blog)