A sophisticated supply chain attack leveraging a compromised developer tool has led to the exfiltration of thousands of GitHub’s internal source code repositories. The incident, confirmed by GitHub on Wednesday, originated from a malicious version of the Nx Console Visual Studio Code extension that was unknowingly installed on an employee’s machine.
Root Cause: A Developer Tool Turned Trojan
The attack began when the official `nrwl.angular-console` extension for VS Code was compromised. According to the Nx team, the breach was traced back to a developer’s system that was compromised following the recent TanStack supply chain attack. The threat actor, identified as the cybercriminal group TeamPCP, used this foothold to publish a poisoned update of the extension. Once a GitHub employee updated the extension, the malicious code provided the attackers with a backdoor into the company’s internal network.
Impact and Mitigation Response
GitHub’s Chief Information Security Officer, Alexis Wales, confirmed that the breach allowed TeamPCP to exfiltrate approximately 3,800 internal repositories. While the company stated that the attack was contained and critical secrets were rotated, they acknowledged that some internal repositories contained excerpts of customer support interactions. However, GitHub emphasized that there is no evidence that customer-owned enterprises, organizations, or repositories were directly impacted. The incident has sparked broader conversations within the open source community about fundamental flaws in the trust model for developer tooling and software distribution pipelines.
Source: The Hacker News
