GitHub Internal Repositories Breached Via Weaponized VS Code Extension

GitHub confirmed a significant security breach on May 18, 2026, after attackers leveraged a weaponized Visual Studio Code extension to compromise an employee’s device and exfiltrate data from the company’s internal source code repositories.

The attack was detected and contained on Monday, May 18, when GitHub’s security team identified suspicious activity on an employee endpoint.

The intrusion vector was traced to a poisoned VS Code extension, specifically a malicious version of the Nx Console extension published by a third party, which had been installed on the compromised device.

GitHub swiftly removed the malicious extension version from the marketplace, isolated the affected endpoint, and initiated full incident response procedures.

The threat actor behind the attack has claimed responsibility for exfiltrating approximately 3,800 internal repositories.

GitHub confirmed that this figure is “directionally consistent” with its ongoing investigation, making it one of the more significant supply chain-style attacks targeting a major DevOps platform in recent memory.

https://twitter.com/github/status/2056949169701720157?ref_src=twsrc%5Etfw

GitHub’s current assessment indicates that the breach was limited to GitHub-internal repositories only.

Critically, the company stated it has found no evidence of impact to customer-facing infrastructure, including customer enterprises, organizations, or personal repositories hosted on the platform.

However, GitHub acknowledged that some internal repositories do contain customer-derived information such as excerpts from support ticket interactions raising the possibility of limited secondary exposure.

The company has pledged to notify affected customers directly through established incident response and disclosure channels if any impact to customer data is confirmed.

In a rapid containment effort, GitHub’s security team began rotating critical secrets as early as Monday and continued through Tuesday, prioritizing credentials with the highest potential blast radius. The company continues to:

• Analyze logs for signs of lateral movement or follow-on activity
• Validate that all rotated secrets have been fully invalidated
• Monitor platform infrastructure for any persistence mechanisms or secondary access attempts

The attack highlights the growing danger of VS Code extension supply chain attacks. The Nx Console extension, widely used in Angular and monorepo development workflows, was subverted at the distribution level, meaning developers with the compromised version installed were unknowingly exposed.

GitHub stated it will publish a comprehensive post-incident report once the investigation concludes. The company’s transparency around the breach, including directional acknowledgment of the attacker’s repository count claims, reflects a measured but proactive disclosure posture.

Organizations relying on GitHub for internal development workflows are advised to audit installed VS Code extensions, review extension update policies, and monitor for any unusual API or repository access activity as the investigation continues.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post GitHub Internal Repositories Breached Via Weaponized VS Code Extension appeared first on Cyber Security News.