Cyber Incident Victim: GitHub
Date:
May 2026
Location:
United States of America
Summary
GitHub reported that an employee device was compromised through a poisoned Visual Studio Code extension, leading to the exfiltration of internal repositories. The malicious version of the Nx Console extension was pushed after a maintainer’s credentials were leaked, and initial telemetry showed about two dozen installs but later analysis suggested the reach could exceed six thousand. Critical secrets were rotated, the affected endpoint was isolated, and the company said it found no evidence that customer data outside the affected repositories was accessed while the investigation continues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
GitHub disclosed on May 26, 2026 that an employee device was compromised through a poisoned Visual Studio Code extension, leading to the exfiltration of data from internal repositories. The company said it detected the compromise, removed the malicious extension version, isolated the affected endpoint, and launched an incident response investigation. GitHub’s current assessment is that the activity was limited to its internal repositories and did not affect customer data stored elsewhere. The firm also noted that a claim from the hacking group TeamPCP that 3,800 repositories were impacted was directionally consistent with its ongoing investigation.
Investigators linked the incident to a prior compromise of a maintainer of the Nx Console Visual Studio Code tool, whose leaked GitHub credentials were used to push a malicious version of the extension to the VS Code Marketplace. The compromised credentials have since been temporarily revoked. Nx Console, which has millions of installs and is widely used in professional JavaScript development, reported that Microsoft initially indicated 28 installs of the malicious version 18.95.0, but its own analytics suggest the number of users who received the package may be significantly higher, potentially exceeding 6,000 installs. NX CEO Jeff Cross stated on X that understanding the full scope, assisting affected users, hardening systems and release processes, and maintaining transparency are his top priorities. He added that his team continues to work with Microsoft to determine the exact impact of the attack.
GitHub emphasized that it rotated critical secrets on Tuesday, prioritizing the highest‑impact credentials, and continued to analyze logs, validate the rotation, and monitor for any follow‑on activity. The company said it has found no evidence that customer data residing outside the affected repositories was compromised. The incident fits a broader pattern of supply chain attacks targeting developer ecosystems such as npm, PyPI, and Docker, where attackers focus on maintainers, packages, or credentials rather than end users. GitHub indicated it will publish a fuller report once the investigation is complete.