The short version
My GitHub personal access token was exfiltrated — most likely by a supply-chain compromise somewhere in my developer environment. The attacker used it to push malicious commits to several of my private repositories. One of those repositories belonged to a client. The client ended the engagement. They were right to.
That's the whole of what happened. Everything I want to say in this post is about what I did afterwards, and about what I am now building and studying because of it.
The attack, by category
I can't tell you exactly which package, extension, or tool in my local environment exfiltrated the token. By the time I was thinking clearly enough to investigate, a lot of the evidence on my machine had been rotated out by the ordinary churn of a working developer's day — extension updates, shell-history truncation, containers torn down and rebuilt.







