The short version

My GitHub personal access token was exfiltrated — most likely by a supply-chain compromise somewhere in my developer environment. The attacker used it to push malicious commits to several of my private repositories. One of those repositories belonged to a client. The client ended the engagement. They were right to.

That's the whole of what happened. Everything I want to say in this post is about what I did afterwards, and about what I am now building and studying because of it.

The attack, by category

I can't tell you exactly which package, extension, or tool in my local environment exfiltrated the token. By the time I was thinking clearly enough to investigate, a lot of the evidence on my machine had been rotated out by the ordinary churn of a working developer's day — extension updates, shell-history truncation, containers torn down and rebuilt.