A high-impact supply chain attack has compromised approximately 3,800 of GitHub's internal repositories. The breach originated from a poisoned version of the 'nrwl.angular-console' (Nx Console) Microsoft Visual Studio Code extension. By infiltrating a GitHub employee's development environment, the threat actor likely leveraged token-stealing mechanisms or a VS Code zero-day vulnerability to exfiltrate authentication tokens and access proprietary source code. The compromised data, including sensitive internal intellectual property, has reportedly been listed for sale on underground dark web forums. This incident highlights critical risks in developer tooling and the potential for secondary compromises through stolen credentials.
-
Incident/Breach Overview
- Compromise of approximately 3,800 GitHub internal repositories.
- Exposure of sensitive intellectual property and proprietary internal source code.
- Breached repository data has been identified for sale on underground/dark web markets.
-
Attack Vector/Campaign Mechanics
- Supply chain compromise facilitated via the poisoned 'nrwl.angular-console' VS Code extension.
- Targeted infiltration of high-value GitHub employee workstations and development environments.
- Technical execution likely involves automated token-stealing payloads or VS Code zero-day exploitation.
-
Technical Impact & Asset Exposure
- Exfiltration of high-privilege developer authentication tokens.
- Unauthorized access to GitHub's internal codebase and development infrastructure.
- Significant risk of secondary compromise for integrated services via stolen credentials.
-
Defensive Actions & Mitigation
- GitHub has initiated formal incident response and forensic investigation protocols.
- Targeted revocation and rotation of affected employee authentication tokens.
- Critical requirement for enhanced vetting of third-party developer extensions and tooling.
-
Conclusion
- Demonstrates the extreme risk posed by software supply chain vulnerabilities in specialized developer tooling.
- Underscores the necessity for zero-trust architectures even within highly secured development environments.
Related posts
- Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
- GitHub Security Blog — Investigating unauthorized access to GitHub’s internal repositories
- feeds.feedburner.com — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
- wiz.io — Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
- Huntress
- Stepsecurity
- Helpnetsecurity
- Cybersecuritydive
- News
- Sophos News — GitHub internal repositories breached
- Malwarebytes
- CISA Cybersecurity Advisories — Supply Chain Compromises Impact Nx Console and GitHub Repositories
- microsoft.com — Typosquatted npm packages used to steal cloud and CI/CD secrets
- Nx
- Armorcode
- Paloaltonetworks
- Blog
- Xda-developers
- Varonis
- About
- Safestate
- Phoenix
- Riskprofiler
- Bankinfosecurity
- Grip
- Forbes
- Hhs
- gbhackers.com — Fake Claude Code Installer Spreads Fileless .NET Infostealer
- The Record by Recorded Future — Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process
- Hackread
- Cyderes
- App
- Infoworld
- Thenextweb
- techjacksolutions.com — Dual Supply Chain Attacks Compromise Trivy, Axios, and LiteLLM Open-Source Tools
- techjacksolutions.com — Trivy Weaponized: TeamPCP (UNC6780) Turns DevSecOps Scanner Into Supply Chain Entry Point, Steals Cisco Source Code
- techjacksolutions.com — Deep-Dive Ransomware Activity for Instant Threat Intelligence: European Commission Suffers Data Breach
- Cybersecuritynews
- Mallory
- Scworld
- Socprime
- Infosecurity-magazine
- Ebuildersecurity
- Breachsense
- Mallory
- Aiweekly
- Cyberpress
- Techrepublic
- Gigazine
- Kravensecurity
- Cypro
- Mallory
- Technadu
- techjacksolutions.com
- Labs
- Kucoin
- Neuracybintel
- Ironcastle
- Isc
- Endorlabs
- Safestate
- Arcticwolf
- Oasis
- Fieldeffect
- Blog
- Socradar
- Ampcuscyber
- Ransomware
- Hookphish
- Blackpointcyber
- Pdctech
- Ransomware
- Thehackernews
- Lokker
- Blog
- Squaredtech
- Radar
- Zvelo
- Sonatype
- Redsift
- Vicarius
- Thehackernews
- Malwarebytes
- bleepingcomputer.com — GitHub announces npm security changes to tackle supply-chain attacks
- SC Media — NPM v12 to block supply-chain attacks with new security measures
- feeds.feedburner.com — GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
- Infosecurity-magazine
- Radar
- cyberinsider.com — VRChat discloses cloud breach exposing data of 2.4 million users
- gbhackers.com — GitHub Introduces Automatic Controls to Prevent Malicious npm Install Scripts
- Github
- Almeidalawgroup
- Claimdepot
- Classactionu
- Cybersecuritynews
- Cyberpress
- Github
- Linuxsecurity
- Aikido
- Mallory
- SecurityWeek — VS Code Vulnerability Allows One-Click GitHub Token Theft
- feeds.feedburner.com — One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens