GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack.
This attack is attributed to the TeamPCP threat group and began with the compromise of dozens of TanStack and Mistral AI npm packages, then quickly extended to other projects (including UiPath, Guardrails AI, and OpenSearch) using stolen CI/CD credentials.
TeamPCP was linked to other major supply chain attacks targeting developer code platforms, including PyPI, NPM, GitHub, and Docker, and, more recently, to the "Mini Shai-Hulud" supply chain campaign (which also affected two OpenAI employees).
GitHub revealed the breach on Tuesday, saying it was investigating claims of unauthorized access to its internal repositories and telling BleepingComputer that the incident resulted from an employee installing a malicious Visual Studio Code (VS Code) extension, without disclosing the extension's name.
In a blog published Wednesday evening, GitHub CISO Alexis Wales said the breach involved a malicious version of Nx Console, the official Visual Studio Code marketplace extension for Nx, that allows developers to manage large repos and multi-project codebases without relying entirely on complex Terminal CLI commands.
