HomeIntelligenceBrief
BREACH BRIEF🔴 Critical Breach

GitHub and Grafana Labs Breaches Linked to Malicious Nx Console VS Code Extension in TanStack Supply Chain

A poisoned Nx Console VS Code extension, distributed through the TanStack supply chain, stole cloud and secret‑manager credentials and enabled attackers to exfiltrate ~3,800 private GitHub repositories belonging to GitHub and Grafana Labs. The incident highlights the critical need for rigorous third‑party component vetting in DevOps environments.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 helpnetsecurity.com
🔴
Severity
Critical
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

GitHub and Grafana Labs Breaches Linked to Malicious Nx Console VS Code Extension in TanStack Supply Chain

What Happened — A malicious version of the popular Nx Console VS Code extension was published to the Visual Studio Marketplace and the Open VSX registry. The compromised extension harvested GitHub, HashiCorp Vault, Kubernetes, AWS, GCP, Docker, and 1Password credentials, which attackers used to access CI/CD pipelines and exfiltrate roughly 3,800 private GitHub repositories belonging to GitHub and Grafana Labs.

Why It Matters for TPRM

  • Supply‑chain compromise of a developer‑tool ecosystem can give threat actors unfettered access to downstream customers’ code and secrets.
  • Credential theft across multiple cloud and secret‑management platforms amplifies lateral movement risk for any organization that integrates those services.
  • The incident demonstrates that low‑download extensions can still affect thousands of developers, expanding the attack surface beyond “high‑profile” software.

Who Is Affected — SaaS development platforms, cloud‑native tooling vendors, and any organization that installs VS Code extensions from public registries (tech‑SaaS, cloud‑infra, DevOps tooling).

Recommended Actions

  • Conduct an immediate inventory of all VS Code extensions in use and remove any from untrusted sources.
  • Rotate every credential that could have been exposed (GitHub tokens, cloud keys, Vault tokens, 1Password entries).
  • Enforce strict extension signing verification and limit CI/CD token scopes.
  • Review third‑party risk policies for open‑source component provenance and supply‑chain monitoring.

Technical Notes — Attack vector: compromised third‑party dependency (malicious Nx Console extension). No public CVE; the payload fetched over HTTPS/DNS and attempted sudoers injection on Linux. Exfiltrated data included personal access tokens, OAuth/app tokens, cloud provider keys, Docker credentials, and secrets stored in HashiCorp Vault and 1Password. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →