GitHub Breach Exposes ~3,800 Internal Repositories via Malicious Nx Console Extension
What Happened — Hackers infiltrated roughly 3,800 private GitHub repositories after an employee installed a compromised version of the Nx Console VS Code extension. The malicious package was part of the broader TanStack npm supply‑chain attack attributed to the TeamPCP cybercrime group, which leveraged stolen CI/CD credentials to move laterally.
Why It Matters for TPRM —
- Third‑party code‑hosting platforms are a high‑value attack surface; a breach can expose proprietary source code and build pipelines.
- Supply‑chain compromises can cascade across multiple vendors (npm, Docker, cloud providers), amplifying risk to downstream customers.
- Credential theft and secret rotation failures highlight the need for continuous monitoring of third‑party access controls.
Who Is Affected — Technology SaaS providers, cloud‑hosting services, development tool vendors, and any organization that stores code or CI/CD pipelines on GitHub.
Recommended Actions —
- Review your organization’s GitHub permissions, enforce least‑privilege access, and rotate all tokens and SSH keys.
- Implement automated scanning for malicious extensions in developer workstations.
- Validate that your supply‑chain security tooling (SBOM, provenance) can detect tampered packages.
Technical Notes — The attack vector was a malicious Visual Studio Code extension (Nx Console 18.95.0) published for ~18 minutes on the VS Marketplace and ~36 minutes on OpenVSX. The payload harvested credentials for npm, AWS, Kubernetes, GitHub, GCP, and Docker, enabling unauthorized workflow runs. No confirmed exfiltration of customer data has been reported, but the threat actor is demanding $50 k for the stolen repository data. Source: BleepingComputer