GitHub has confirmed that a recent breach into its internal repositories was caused by a vulnerability in a Microsoft Visual Studio Code (VS Code) extension called ‘Nx Console.’

The security team at the Microsoft-owed software developer platform warned on May 19 that an attacker gained unauthorized access to 3800 internal repositories via a “poisoned” VS Code extension found on an employee device.

It was later confirmed by Jeff Cross, CEO of Nx that Nx Console, a popular VS Code extension, was the extensions that was poisoned extension and resulted in the GitHub breach.

 Nx Console provides a graphical interface for managing and running Nx workspace tasks, generators and builds. Nx is a development toolkit for managing large codebases, also known as monorepos.

Nx Console is a popular extension, with 2.2 million installs on the Visual Studio Marketplace and a verified publisher badge.

In a report published on GitHub, Cross explained that a malicious version of Vx Console (version 18.95.0) was uploaded to Visual Studio Marketplace and Open VSX, an open-source extension registry for Visual Studio Code–compatible editors, on May 18.

The upload was completed at 12.30 UTC by an individual who posed as a legitimate Nx maintainer.

The compromised extension fetched an obfuscated payload that harvested credentials from multiple sources on disk and in memory:

• Vault: ~/.vault-token, /etc/vault/token; Kubernetes and AWS IAM auth
• Npm: .npmrc tokens and OIDC token exchange
• AWS: IMDS/ECS metadata, Secrets Manager, SSM, Web Identity tokens
• GitHub: ghp_/gho_/ghs_ tokens, Actions secrets, process memory
• 1Password: op CLI vault contents, if an op session was active
• Filesystem: private keys, connection strings, GCP/Docker credentials

The issue has been allocated a vulnerability identifier, CVE-2026-48027.

Cross explained that the person managed to gain the GitHub credentials of a legitimate Nx developer through a recent supply-chain compromise of TanStackn pm packages. This was part of a broader supply chain attack affecting developer ecosystems, commonly known as the Mini Shai-Hulud campaign.

TanStack is a collection of open-source developer tools for building modern web apps, especially focused on state management, data fetching, tables, routing and virtualization.

Additionally, Cross admitted that the upload of the malicious Nx Console version was performed “without manual approval” from other Nx administrators.

“To prevent this from happening in the future, we have hardened our Nx Console publishing pipeline such that two admins need to manually approve the release.”

A maintainer unpublished the malicious version a few minutes later and Microsoft fully registered the takedown at 12:48 UTC, meaning the malicious extension was available on the Visual Studio Marketplace for about 18 minutes.

Read more about the TanStack hack: Grafana Labs Says Code Breach Stemmed from TanStack Attack

Cross, the Nx CEO, said his company “takes responsibility” for the role its software played in this incident. He thanked all involved, including at GitHub and Microsoft, to help investigate and contain the threat.

“This incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open-source distribution,” he added.

He also said Nx has already started implementing changes “to our publishing, automation, and extension security posture.”

“We’re also beginning conversations with other high-profile open-source maintainers about how we can work together on some of the deeper structural problems around software supply chain security. A lot of the assumptions the ecosystem has operated under for years no longer hold.”

3800 GitHub Internal Repositories Stolen

While the time window may appear short, it was long enough to infect many open-source project contributors running VS Code with the Nx Console extension installed and auto-update enabled.

Anyone in this situation should assume they were compromised and should rotate any authentication keys stored on disk, including tokens, secrets, SSH keys and any type of credentials.

The attacker also managed to steal approximately 3800 of GitHub’s internal repositories.

GitHub contained the threat and explained in its 19 May update that it had removed the malicious extension version, isolated the endpoint and began incident response immediately.

“Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first,” GitHub added. “We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.”

The company also promised to publish a more detailed report once the investigation is complete.

Team PCP Allegedly Selling GitHub Repos for $95,000

The breach was claimed by the TeamPCP hacking group.

The group first demanded “at least $50,000” for the stolen data before reportedly posting an ad in which TeamPCP appears to partner with the Lapsus$ threat group to sell the stolen data for $95,000.

The group stated that this was “not a ransom” and that they were not interested in extorting GitHub.

Instead, they claimed that they would only sell the data to one buyer, were "not interested in under 50k" and that "the best offer will get it." They certified they would delete the stolen data once a buyer has been found, adding that it appeared their retirement was imminent.

They also warned that if no buyer was found, they would leak the data for free.

Image credits: GitHub