GitHub Breach Tied to TanStack npm Supply-Chain Attack
Key Takeaways
- Hackers accessed 3,800 GitHub internal repositories through a compromised Nx Console VS Code extension
- The malicious extension was live for 18 minutes on Visual Studio Marketplace and 36 minutes on OpenVSX
- TeamPCP is demanding at least $50,000 for the stolen GitHub source code
GitHub has confirmed that hackers breached 3,800 of its internal repositories. The attack vector: a malicious version of the Nx Console VS Code extension, poisoned during last week's TanStack npm supply-chain compromise.
The company disclosed on Tuesday that an employee installed the compromised extension, giving attackers access to internal code. GitHub CISO Alexis Wales provided details in a blog post Wednesday evening.
How the Attack Worked
The breach traces back to TeamPCP, a threat group linked to multiple supply-chain attacks on developer platforms including PyPI, NPM, GitHub, and Docker. TeamPCP is also connected to the "Mini Shai-Hulud" campaign that affected two OpenAI employees.
The attack started with the compromise of dozens of TanStack and Mistral AI npm packages. Attackers then used stolen CI/CD credentials to spread to other projects, including UiPath, Guardrails AI, and OpenSearch.
Nx Console is the official Visual Studio Code extension for Nx. It helps developers manage large repositories and multi-project codebases without relying entirely on Terminal CLI commands. A malicious version, 18.95.0, appeared on the Visual Studio Marketplace for roughly 18 minutes and on OpenVSX for 36 minutes.
The poisoned extension deployed a payload designed to steal credentials from npm, AWS, Kubernetes, GitHub, and GCP/Docker.
Nx Team's Account
The Nx development team explained what happened on their end. One of their developers was compromised through the TanStack supply-chain attack, which leaked GitHub credentials via the GitHub CLI.
“One of our developers was compromised by a recent supply-chain compromise on Tanstack, which leaked their GitHub credentials through the GitHub CLI (gh). This allowed the attacker to run workflows on our GitHub repository as a contributor.”
— Nx development team
The team said they are working jointly with GitHub and Microsoft to assess the full impact.
GitHub's Response
GitHub has secured the compromised device. The company says it has not found evidence that customer data stored outside the affected repositories was stolen.
“We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first. We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.”
— Alexis Wales, GitHub CISO
GitHub has not officially attributed the attack to a specific group. But TeamPCP claimed responsibility on the Breached forum on Tuesday, saying they accessed GitHub source code and "~4,000 repos of private code." The group is asking for at least $50,000.
Timeline of Events
What This Means for Development Teams
The attack highlights a growing problem: developer tools have become high-value targets. VS Code extensions, npm packages, and CI/CD pipelines all offer attackers a path to steal credentials that unlock much larger targets.
In this case, 18 minutes of exposure on the Visual Studio Marketplace was enough for at least one GitHub employee to install the malicious extension. The cascading effect gave attackers access to thousands of internal repositories.
Organizations relying on open-source tooling should review their extension update policies. Automatic updates can speed adoption of legitimate security patches, but they also reduce the window for catching supply-chain attacks.
Logicity's Take
Frequently Asked Questions
How did hackers breach GitHub's internal repositories?
An employee installed a malicious version of the Nx Console VS Code extension (version 18.95.0), which was compromised during the TanStack npm supply-chain attack. The extension stole credentials that gave attackers access to 3,800 internal repositories.
How long was the malicious Nx Console extension available?
The poisoned extension was live on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for 36 minutes before being removed.
Who is behind the GitHub breach?
TeamPCP, a cybercrime group linked to supply-chain attacks on PyPI, NPM, GitHub, and Docker, claimed responsibility. The group is demanding at least $50,000 for the stolen source code.
Was customer data stolen in the GitHub breach?
GitHub says it has not found evidence that customer data stored outside the affected repositories was stolen. The investigation is ongoing.
What credentials did the malicious extension target?
The payload was designed to steal credentials for npm, AWS, Kubernetes, GitHub, and GCP/Docker.
Another example of how security vulnerabilities require more than simple fixes
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
اقرأ أيضاً
رأي مغاير: كيف يؤثر اختراق الأمن الداخلي الأميركي على شركاتنا الخاصة؟
في ظل اختراق عقود الأمن الداخلي الأميركي مع شركات خاصة، نناقش تأثير هذا الاختراق على مستقبل الأمن السيبراني. نستعرض الإحصاءات الموثوقة ونناقش كيف يمكن للشركات الخاصة أن تتعامل مع هذا التهديد. استمتع بقراءة هذا التحليل العميق
الإنسان في زمن ما بعد الوجود البشري: نحو نظام للتعايش بين الإنسان والروبوت - Centre for Arab Unity Studies
في هذا المقال، سنناقش كيف يمكن للبشر والروبوتات التعايش في نظام متكامل. سنستعرض التحديات والحلول المحتملة التي تضعها شركات مثل جوجل وأمازون. كما سنلقي نظرة على التوقعات المستقبلية وفقًا لتقرير ماكنزي
إطلاق ناسا لمهمة مأهولة إلى القمر: خطوة تاريخية نحو استكشاف الفضاء
تعتبر المهمة الجديدة خطوة هامة نحو استكشاف الفضاء وتطوير التكنولوجيا. سوف تشمل المهمة إرسال رواد فضاء إلى سطح القمر لconducting تجارب علمية. ستسهم هذه المهمة في تطوير فهمنا للفضاء وتحسين التكنولوجيا المستخدمة في استكشاف الفضاء.