GitHub Breach Linked to Compromised Nx Console Extension

GitHub Breach Linked to Compromised Nx Console Extension

First seen 7 Jul 2026, 21:39 UTC edge.prnewswire.com 71% similarity 66.0

Article Content

Browse articles
ThreatCluster

On May 19, 2026, GitHub announced an investigation into unauthorized access to internal repositories after a malicious Visual Studio Code extension was executed on an employee's device. The attack, attributed to the Mini Shai-Hulud worm by TeamPCP, exploited a compromised version of the Nx Console extension, version 18.95.0, published on May 18, 2026. This version contained obfuscated JavaScript that created backdoors and allowed attackers to steal GitHub credentials. The breach affected approximately 3,800 internal repositories. GitHub's response included removing the malicious extension from the Visual Studio Marketplace within 18 minutes of detection. The attack utilized legitimate workflows and trusted credentials, making detection challenging. The compromised extension was linked to a broader supply chain attack involving multiple software publishers.

Key Points: • The GitHub breach was caused by a compromised version of the Nx Console extension. • Approximately 3,800 internal repositories were affected by the attack. • The Mini Shai-Hulud worm utilized legitimate workflows to propagate without detection.

ThreatCluster AI

Timeline

2026-05-18
Compromised Nx Console version published
Version 18.95.0 of Nx Console was published with malicious code, allowing for backdoor creation.
Article 2
2026-05-19
GitHub announces investigation into breach
GitHub confirmed unauthorized access to internal repositories after detecting a malicious VS Code extension.
Article 2
2026-05-19
Malicious extension removed from Marketplace
The Visual Studio Marketplace removed the compromised Nx Console extension within 18 minutes of detection.
Article 1
2026-07-07
TeamPCP announces auction of GitHub source code
Following the breach, TeamPCP stated they would auction GitHub's source code, with Lapsus authorized to broker the sale.
Article 2

Community

Browse all →