GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

Supply‑chain attacks have moved from high‑profile open‑source libraries to the very tools developers use daily. The recent Nx Console compromise follows a string of incidents—including the TanStack breach that hit OpenAI and Grafana Labs—showing that threat actors are targeting the distribution channels of developer ecosystems. By inserting a trojanized VS Code extension into the official marketplace, the attackers leveraged auto‑update mechanisms to silently deliver a credential‑stealing payload, demonstrating how a brief window of exposure can have outsized impact.

The malicious extension behaved like the legitimate Nx Console, executing a hidden shell command on startup that fetched a malicious package from a forged commit in the nrwl/nx repository. Within minutes, it harvested API keys and tokens from popular services such as 1Password, Anthropic Claude, npm, GitHub and AWS, giving the attackers a foothold across multiple cloud and development environments. GitHub’s rapid response—rotating secrets, revoking compromised tokens, and limiting the extension’s availability—contained the breach, but the episode highlights the inherent risk of auto‑updates and the lack of rigorous vetting in extension marketplaces.

For enterprises, the lesson is clear: developer‑tool supply‑chain hygiene must become a priority. Organizations should enforce strict extension approval workflows, monitor for anomalous credential usage, and consider disabling automatic updates for high‑risk plugins. Meanwhile, platform operators like Microsoft and GitHub need stronger review processes and longer grace periods before new releases are pushed to users. As supply‑chain threats continue to evolve, a coordinated industry effort will be essential to protect the code that powers modern businesses.