HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Supply‑Chain Attack Compromises GitHub via Poisoned VS Code Extension (Nx Console)

GitHub disclosed a breach caused by a poisoned VS Code extension (Nx Console) that allowed threat actors to steal developer credentials and source‑code. The incident highlights the risk of third‑party developer tools in supply‑chain attacks and underscores the need for rigorous extension vetting.

LiveThreat™ Intelligence · 📅 May 24, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

Supply‑Chain Attack Compromises GitHub via Poisoned VS Code Extension (Nx Console)

What Happened – GitHub confirmed that a malicious Visual Studio Code extension, Nx Console (≈2.2 M installs), was used by the threat group TeamPCP to gain unauthorized access to GitHub’s internal systems. The extension was poisoned in the VS Code marketplace, allowing attackers to exfiltrate credentials and source‑code artifacts.

Why It Matters for TPRM

  • A widely‑used developer tool became a vector for a supply‑chain breach, exposing downstream customers to credential theft.
  • The incident demonstrates that third‑party extensions can bypass traditional perimeter controls.
  • Organizations that integrate GitHub into CI/CD pipelines may inherit the same compromise.

Who Is Affected – SaaS code‑hosting platforms, software development teams, and any downstream services that pull code from compromised GitHub repositories (tech‑SaaS, cloud‑host, API‑provider).

Recommended Actions

  • Review all third‑party VS Code extensions in use; remove or replace any not vetted.
  • Rotate GitHub credentials and OAuth tokens for all service accounts.
  • Enforce strict supply‑chain security policies (SBOM, code‑signing verification).

Technical Notes – Attack vector: poisoned VS Code extension (third‑party dependency). No public CVE; the breach leveraged the extension’s ability to execute post‑install scripts that harvested stored GitHub tokens. Data types potentially exposed include source code, repository metadata, and developer credentials. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/24/week-in-review-github-breached-via-poisoned-vs-code-extension-critical-nginx-flaw-exploited/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →