← Back to Daily Briefing

A high-impact supply chain attack has compromised approximately 3,800 of GitHub's internal repositories. The breach originated from a poisoned version of the 'nrwl.angular-console' (Nx Console) Microsoft Visual Studio Code extension. By infiltrating a GitHub employee's development environment, the threat actor likely leveraged token-stealing mechanisms or a VS Code zero-day vulnerability to exfiltrate authentication tokens and access proprietary source code. The compromised data, including sensitive internal intellectual property, has reportedly been listed for sale on underground dark web forums. This incident highlights critical risks in developer tooling and the potential for secondary compromises through stolen credentials.

  • Incident/Breach Overview

    • Compromise of approximately 3,800 GitHub internal repositories.
    • Exposure of sensitive intellectual property and proprietary internal source code.
    • Breached repository data has been identified for sale on underground/dark web markets.
  • Attack Vector/Campaign Mechanics

    • Supply chain compromise facilitated via the poisoned 'nrwl.angular-console' VS Code extension.
    • Targeted infiltration of high-value GitHub employee workstations and development environments.
    • Technical execution likely involves automated token-stealing payloads or VS Code zero-day exploitation.
  • Technical Impact & Asset Exposure

    • Exfiltration of high-privilege developer authentication tokens.
    • Unauthorized access to GitHub's internal codebase and development infrastructure.
    • Significant risk of secondary compromise for integrated services via stolen credentials.
  • Defensive Actions & Mitigation

    • GitHub has initiated formal incident response and forensic investigation protocols.
    • Targeted revocation and rotation of affected employee authentication tokens.
    • Critical requirement for enhanced vetting of third-party developer extensions and tooling.
  • Conclusion

    • Demonstrates the extreme risk posed by software supply chain vulnerabilities in specialized developer tooling.
    • Underscores the necessity for zero-trust architectures even within highly secured development environments.

Related posts

  1. Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
  2. GitHub Security Blog — Investigating unauthorized access to GitHub’s internal repositories
  3. feeds.feedburner.com — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
  4. wiz.io — Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
  5. Huntress
  6. Stepsecurity
  7. Helpnetsecurity
  8. Cybersecuritydive
  9. News
  10. Sophos News — GitHub internal repositories breached
  11. Malwarebytes
  12. CISA Cybersecurity Advisories — Supply Chain Compromises Impact Nx Console and GitHub Repositories
  13. microsoft.com — Typosquatted npm packages used to steal cloud and CI/CD secrets
  14. Nx
  15. Armorcode
  16. Paloaltonetworks
  17. Blog
  18. Xda-developers
  19. Varonis
  20. About
  21. Safestate
  22. Phoenix
  23. Riskprofiler
  24. Bankinfosecurity
  25. Grip
  26. Reddit
  27. Forbes
  28. Hhs
  29. gbhackers.com — Fake Claude Code Installer Spreads Fileless .NET Infostealer
  30. The Record by Recorded Future — Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process
  31. Reddit
  32. Hackread
  33. Cyderes
  34. App
  35. Infoworld
  36. Thenextweb
  37. techjacksolutions.com — Dual Supply Chain Attacks Compromise Trivy, Axios, and LiteLLM Open-Source Tools
  38. techjacksolutions.com — Trivy Weaponized: TeamPCP (UNC6780) Turns DevSecOps Scanner Into Supply Chain Entry Point, Steals Cisco Source Code
  39. techjacksolutions.com — Deep-Dive Ransomware Activity for Instant Threat Intelligence: European Commission Suffers Data Breach
  40. Cybersecuritynews
  41. Mallory
  42. Scworld
  43. Socprime
  44. Infosecurity-magazine
  45. Ebuildersecurity
  46. Breachsense
  47. Mallory
  48. Aiweekly
  49. Cyberpress
  50. Techrepublic
  51. Gigazine
  52. Reddit
  53. Kravensecurity
  54. Cypro
  55. Reddit
  56. Mallory
  57. Technadu
  58. techjacksolutions.com
  59. Labs
  60. Kucoin
  61. Reddit
  62. Neuracybintel
  63. Ironcastle
  64. Isc
  65. Endorlabs
  66. Safestate
  67. Arcticwolf
  68. Oasis
  69. Fieldeffect
  70. Blog
  71. Socradar
  72. Ampcuscyber
  73. Ransomware
  74. Hookphish
  75. Blackpointcyber
  76. Pdctech
  77. Ransomware
  78. Thehackernews
  79. Lokker
  80. Blog
  81. Squaredtech
  82. Radar
  83. Zvelo
  84. Sonatype
  85. Redsift
  86. Vicarius
  87. Thehackernews
  88. Malwarebytes
  89. bleepingcomputer.com — GitHub announces npm security changes to tackle supply-chain attacks
  90. SC Media — NPM v12 to block supply-chain attacks with new security measures
  91. feeds.feedburner.com — GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
  92. Infosecurity-magazine
  93. Radar
  94. cyberinsider.com — VRChat discloses cloud breach exposing data of 2.4 million users
  95. gbhackers.com — GitHub Introduces Automatic Controls to Prevent Malicious npm Install Scripts
  96. Reddit
  97. Github
  98. Almeidalawgroup
  99. Claimdepot
  100. Classactionu
  101. Cybersecuritynews
  102. Cyberpress
  103. Github
  104. Linuxsecurity
  105. Aikido
  106. Mallory
  107. SecurityWeek — VS Code Vulnerability Allows One-Click GitHub Token Theft
  108. feeds.feedburner.com — One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

LINK COPIED TO CLIPBOARD