GitHub confirmed a breach last week that exposed around 3,800 internal repositories. The cause wasn't a zero-day. It was a VS Code extension.

Attackers took over the publisher token for Nx Console, which has about 2.2 million installs. They pushed a malicious JavaScript file to the VS Code Marketplace. It was up for 18 minutes before it got pulled. Because of auto-updates, that was enough time for it to hit developer machines and exfiltrate .env files and other credentials. Most EDR tools didn't catch it because it was plain JavaScript, not a compiled binary.

Three things made this work:

Auto-updates are on by default. Teams treat them as a convenience and don't review what's being pushed.

People trust the "verified" badge and high install counts. Those don't mean the code is safe.

Developers keep long-lived secrets on their machines. Once the extension ran, it had files to steal.

GitHub confirmed a breach last week that exposed around 3,800 internal repositories. The cause wasn't a zero-day. It was a VS Code extension.

Other newsrooms on this story

Related reading

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential…

GitHub confirms breach of 3,800 repos via malicious VSCode extension

GitHub breached via poisoned VS Code extension, 3,800 repos stolen

3,800 GitHub repos got breached by one VSCode extension. Here's the 5-minute…

GitHub confirms breach of 3,800 internal repos after employee installs poisoned…