Key point: Cybercriminals from the TeamPCP group exploited a malicious Nx Console VS Code extension to gain access to GitHub’s internal systems. The attack is linked to a larger NPM supply chain attack that also affected TanStack, Mistral AI, and other projects. TeamPCP is demanding at least $50,000 for the stolen data.
GitHub confirmed that hackers penetrated 3,800 internal repositories via a manipulated version of the Nx Console VS Code extension. The attack is attributed to the threat group TeamPCP and is part of a comprehensive supply chain attack that originally began with TanStack NPM packages.
GitHub announced on Tuesday that an employee had unknowingly installed a malicious Visual Studio Code extension, resulting in access to 3,800 internal repositories. The manipulated version of Nx Console, an official VS Code Marketplace extension for managing large code repositories, was available for approximately 18 minutes on the VS Code Marketplace and 36 minutes on OpenVSX before being removed.
The malware was designed to steal credentials and secrets for various platforms such as npm, AWS, Kubernetes, GitHub, and GCP/Docker. The threat group TeamPCP, responsible for multiple significant supply chain attacks on developer platforms, claimed access to “approximately 4,000 repositories with private code” and is demanding at least $50,000 for the data.
GitHub CISO Alexis Wales stated that the company has already rotated critical secrets and found no evidence of customer data theft outside the affected repositories. The Nx developers confirmed that one of their developers was affected by the TanStack supply chain compromise, through which GitHub credentials were leaked.
The incident adds to a series of security breaches caused by malicious VS Code extensions that have reached millions of installations in recent years and stolen developer credentials.