HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

GitHub Breach Exposes ~3,800 Internal Repositories via Malicious Nx Console Extension

Hackers leveraged a compromised Nx Console VS Code extension—originating from the TanStack npm supply‑chain attack—to infiltrate roughly 3,800 private GitHub repositories. The TeamPCP group stole CI/CD credentials, prompting secret rotation and a ransom demand, underscoring critical third‑party risk for code‑hosting platforms.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

GitHub Breach Exposes ~3,800 Internal Repositories via Malicious Nx Console Extension

What Happened — Hackers infiltrated roughly 3,800 private GitHub repositories after an employee installed a compromised version of the Nx Console VS Code extension. The malicious package was part of the broader TanStack npm supply‑chain attack attributed to the TeamPCP cybercrime group, which leveraged stolen CI/CD credentials to move laterally.

Why It Matters for TPRM

  • Third‑party code‑hosting platforms are a high‑value attack surface; a breach can expose proprietary source code and build pipelines.
  • Supply‑chain compromises can cascade across multiple vendors (npm, Docker, cloud providers), amplifying risk to downstream customers.
  • Credential theft and secret rotation failures highlight the need for continuous monitoring of third‑party access controls.

Who Is Affected — Technology SaaS providers, cloud‑hosting services, development tool vendors, and any organization that stores code or CI/CD pipelines on GitHub.

Recommended Actions

  • Review your organization’s GitHub permissions, enforce least‑privilege access, and rotate all tokens and SSH keys.
  • Implement automated scanning for malicious extensions in developer workstations.
  • Validate that your supply‑chain security tooling (SBOM, provenance) can detect tampered packages.

Technical Notes — The attack vector was a malicious Visual Studio Code extension (Nx Console 18.95.0) published for ~18 minutes on the VS Marketplace and ~36 minutes on OpenVSX. The payload harvested credentials for npm, AWS, Kubernetes, GitHub, GCP, and Docker, enabling unauthorized workflow runs. No confirmed exfiltration of customer data has been reported, but the threat actor is demanding $50 k for the stolen repository data. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →