Vulnerabilities

GitHub Internal Repositories Compromised

May 21, 2026 04:06 · 12 min read

GitHub Internal Repositories Compromised Through Poisoned VS Code Extension

GitHub said late Tuesday that internal repositories were exfiltrated after an employee device was compromised through a poisoned Visual Studio Code extension, an incident that underscores the growing risks facing software development platforms and the ecosystems built around third-party developer tools.

The Microsoft-owned company said in posts on X that it detected and contained the compromise, removed the malicious extension version, isolated the affected endpoint and began an incident response investigation. The company’s current assessment is that the activity involved GitHub-internal repositories only.

Incident Response and Investigation

GitHub also said a claim from TeamPCP, a hacking group behind attacks targeting software development packages, that 3,800 repositories were impacted was “directionally consistent” with its investigation so far. It said critical secrets were rotated Tuesday, with the highest-impact credentials prioritized first.

The company said it continued to analyze logs, validate secret rotation and monitor for follow-on activity. The company has not publicly named the extension involved or attributed the activity to a particular group. TeamPCP reportedly advertised the material for sale on a cybercrime forum and threatened to release it if no buyer emerged.

Nx Console Security Incident

Information surfaced Wednesday that the incident may be related to a separate issue with Nx Console, a Visual Studio Code tool that helps engineering teams organize large codebases, coordinate build pipelines and run tests efficiently. According to a security advisory posted on GitHub, one of the Nx Console maintainers was compromised in a prior security incident that leaked their GitHub credentials.

An attack then used those credentials to push a malicious version of the extension to the VS Code Marketplace. Those credentials have since been temporarily revoked. With millions of installs, Nx Console is a fixture of professional JavaScript development.

“Initially, Microsoft indicated to us that there were 28 installs of the malicious version 18.95.0. Based on our own analytics for the compromised version, we currently believe the number of users who received the malicious package may be significantly higher; potentially over 6k installs,” said Jeff Cross, CEO of Nx.

Supply Chain Attacks and Developer Ecosystems

The episode also follows a series of supply chain attacks involving npm, PyPI, Docker and other developer ecosystems. In those incidents, attackers have often targeted maintainers, packages or credentials rather than attacking end users directly.

The multiple attacks show how fragile development environments have become as threat actors increasingly target them. A single compromised developer account, package, extension or build process can create access to many downstream systems.

Security Risks of VS Code Extensions

Visual Studio Code extensions are widely used by developers to add functions to Microsoft’s code editor, including support for programming languages, testing tools, cloud services and artificial intelligence assistants. Because these extensions often operate inside development environments, a malicious or compromised extension can be positioned close to source code, credentials and build systems.

“The thing people underestimate about VS Code extensions is that they have full access to everything on the developer’s machine,” said Charlie Eriksen, a security researcher at Aikido Security. “EDR doesn’t cover this layer at all. What’s missing for most organisations is any kind of visibility into what’s actually running on developer machines and the ability to control it.”

Trojanized extensions have appeared in the VS Code Marketplace before. Security researchers have identified malicious extensions posing as legitimate development tools, including packages used to steal credentials, mine cryptocurrency or exfiltrate data.

Some have accumulated large installation counts before removal, reflecting the difficulty of policing open plugin ecosystems at scale. For GitHub, the breach comes amid broader scrutiny of the security of developer infrastructure.

The platform sits at the center of software production for companies, governments, open-source maintainers and independent developers. Its internal systems and code are of obvious interest to attackers because GitHub’s services support code hosting, package distribution, automation and identity workflows across much of the software industry.

GitHub said it would publish a fuller report when the investigation is complete.

Source: CyberScoop

Source: CyberScoop

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

🐛 Vulnerabilities

CISA Expands Vulnerability Reporting

CISA has created a new pathway for researchers to report vulnerabilities to its Known Exploited Vulnerabilities catalog, enhancing its ability to identify and share critical threat information.

May 22, 2026 04:01 · The Record 12 min read
🐛 Vulnerabilities

Open-Source Vulnerabilities Concern CISA Chief

CISA acting director Nick Andersen warns of the risks posed by open-source vulnerabilities and the need for urgent security improvements to prevent widespread attacks.

May 22, 2026 00:07 · CyberScoop 10 min read
🐛 Vulnerabilities

Chromium Flaw Exposes Browsers to Remote Code Execution

Google accidentally leaked details of an unfixed Chromium flaw that allows remote code execution on devices, impacting all Chromium-based browsers.

May 22, 2026 00:06 · BleepingComputer 12 min read