Supply‑Chain Attack Compromises GitHub via Poisoned VS Code Extension (Nx Console)
What Happened – GitHub confirmed that a malicious Visual Studio Code extension, Nx Console (≈2.2 M installs), was used by the threat group TeamPCP to gain unauthorized access to GitHub’s internal systems. The extension was poisoned in the VS Code marketplace, allowing attackers to exfiltrate credentials and source‑code artifacts.
Why It Matters for TPRM –
- A widely‑used developer tool became a vector for a supply‑chain breach, exposing downstream customers to credential theft.
- The incident demonstrates that third‑party extensions can bypass traditional perimeter controls.
- Organizations that integrate GitHub into CI/CD pipelines may inherit the same compromise.
Who Is Affected – SaaS code‑hosting platforms, software development teams, and any downstream services that pull code from compromised GitHub repositories (tech‑SaaS, cloud‑host, API‑provider).
Recommended Actions –
- Review all third‑party VS Code extensions in use; remove or replace any not vetted.
- Rotate GitHub credentials and OAuth tokens for all service accounts.
- Enforce strict supply‑chain security policies (SBOM, code‑signing verification).
Technical Notes – Attack vector: poisoned VS Code extension (third‑party dependency). No public CVE; the breach leveraged the extension’s ability to execute post‑install scripts that harvested stored GitHub tokens. Data types potentially exposed include source code, repository metadata, and developer credentials. Source: Help Net Security