{"id":251857,"date":"2026-05-21T17:39:00","date_gmt":"2026-05-21T21:39:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/github-internal-repositories-breached-via-compromised-nx-console-vs-code-extension-2026-supply-chain-cybersecurity-incident-analysis-rescana\/"},"modified":"2026-05-21T17:45:13","modified_gmt":"2026-05-21T21:45:13","slug":"github-internal-repositories-breached-via-compromised-nx-console-vs-code-extension-2026-supply-chain-cybersecurity-incident-analysis-rescana","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/github-internal-repositories-breached-via-compromised-nx-console-vs-code-extension-2026-supply-chain-cybersecurity-incident-analysis-rescana\/","title":{"rendered":"GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension: 2026 Supply Chain Cybersecurity Incident Analysis \u2013 Rescana"},"content":{"rendered":"

GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension: 2026 Supply Chain Cybersecurity Incident Analysis \u2013 Rescana<\/a><\/p>\n

https:\/\/www.rescana.com\/post\/github-internal-repositories-breached-via-compromised-nx-console-vs-code-extension-2026-supply-chain-cybersecurity-incid<\/a><\/p>\n

Publish Date: 2026-05-21 17:39:00<\/a><\/p>\n

Source Domain: www.rescana.com<\/a><\/p>\n

Executive Summary<\/strong><\/h2>\n

On May 18, 2026, a compromised version of the Nx Console<\/strong>\u00a0Visual Studio Code extension was published to the official marketplace, resulting in a significant supply chain attack that impacted the software development ecosystem. The malicious extension, live for approximately 11\u201318 minutes, was installed by thousands of users and enabled attackers to exfiltrate credentials and internal source code repositories from affected organizations, including approximately 3,800 internal repositories from GitHub<\/strong>. The attack leveraged a stolen contributor\u2019s GitHub<\/strong>\u00a0token to push a malicious orphan commit and publish the compromised extension. The payload harvested a wide range of secrets, including cloud, CI\/CD, and AI coding assistant credentials, and established persistent access on macOS systems. The threat group TeamPCP<\/strong>\u00a0claimed responsibility for the breach. All major claims in this report are corroborated by at least three independent sources, with explicit URLs and dates provided.<\/p>\n

Technical Information<\/strong><\/h2>\n

The attack began with the theft of a contributor\u2019s GitHub<\/strong>\u00a0token, which was used to push an orphan commit containing an obfuscated JavaScript payload to the official nrwl\/nx<\/strong>\u00a0repository. This payload was then fetched and executed by the malicious Nx Console<\/strong>\u00a0extension (version 18.95.0) once installed from the Visual Studio Code Marketplace. The extension was available for 11\u201318 minutes and had over 2.2 million installs, with estimates of over 6,000 affected installs during the compromise window. The payload harvested credentials and secrets from a wide range of sources, including GitHub<\/strong>, npm<\/strong>, AWS<\/strong>, HashiCorp Vault<\/strong>, Kubernetes<\/strong>, 1Password<\/strong>, and configuration files for AI coding assistants such as Claude Code<\/strong>. Exfiltration was performed via HTTPS, the GitHub<\/strong>\u00a0API, and DNS tunneling.<\/p>\n

Persistence was achieved on macOS systems by installing a Python backdoor and leveraging the GitHub<\/strong>\u00a0Search API as a dead-drop for further commands. Filesystem indicators…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension: 2026 Supply Chain Cybersecurity…<\/p>\n","protected":false},"author":1,"featured_media":251859,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.rescana.com\/post\/github-internal-repositories-breached-via-compromised-nx-console-vs-code-extension-2026-supply-chain-cybersecurity-incid\/cover.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[20,30],"class_list":["post-251857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-artificial-intelligence","tag-breach"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251857"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=251857"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251857\/revisions"}],"predecessor-version":[{"id":251860,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251857\/revisions\/251860"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/251859"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=251857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=251857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=251857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}