ProductCA

1Password

Popular enterprise and consumer password manager; developer vaults were harvested by the malicious Nx Console extension.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How were 1Password vaults stolen in the Nx Console supply-chain attack?

Timeline for 1Password

#518 May

GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Was 1Password hacked in the GitHub Nx Console breach?: 1Password itself was not breached. The vault contents of a GitHub employee were stolen when a trojanised VS Code extension ran on their machine and exfiltrated locally accessible credentials including 1Password vault data.Source: GitHub incident disclosure
How does 1Password protect secrets from malware?: 1Password encrypts vaults end-to-end and the master password never leaves the device. However, if malware runs with the user's privileges on a logged-in machine, it can access unlocked vault contents in memory or via the browser extension.Source: AgileBits security documentation
Who makes 1Password and where is it based?: 1Password is made by AgileBits, founded in Toronto, Canada in 2005. It raised $620 million in a 2022 Series C at a $6.8 billion valuation.Source: AgileBits corporate
Can 1Password be used in developer CI/CD pipelines?: Yes. AgileBits offers 1Password Secrets Automation and a CLI that integrate with CI/CD pipelines, allowing teams to inject secrets at build time without hardcoding credentials.Source: AgileBits developer documentation

Background

1Password vaults were among the developer credentials harvested during the May 2026 Nx Console supply-chain attack. A trojanised build of the Nx Console Visual Studio Code extension (v18.95.0) remained live on the Visual Studio Marketplace for 18 minutes on 18 May 2026; when a GitHub employee installed it, the malicious payload exfiltrated 1Password vault contents alongside GitHub tokens, npm tokens and AWS credentials. The incident raised questions about the security model of browser-integrated password managers when the host machine is compromised.

1Password is made by AgileBits, founded in 2005 in Toronto, Canada. The product stores passwords, SSH keys, API tokens, and secret notes in end-to-end encrypted vaults, with the master password never leaving the user's device in the standard configuration. AgileBits raised $620 million in a Series C round in 2022 at a $6.8 billion valuation, led by ICONIQ Growth, making it one of the largest private rounds for a pure-play security company. The product has an active developer audience via its 1Password Secrets Automation and 1Password CLI tools, which integrate with CI/CD pipelines.

1Password's presence in developer supply-chain compromises reflects both the product's ubiquity in technical teams and an attacker calculus that treats developer machine credentials as a high-value pivot point. The company has published developer security guidance in response to supply-chain incidents, and the 2026 GitHub breach prompted renewed debate about hardware-key-backed vault access as a mitigation.

Source Material

1Password – Wikipedia 1Password official website

How the World Sees Them

Canada

AgileBits is a Canadian technology success story; the GitHub breach put 1Password in global security headlines and prompted the company to publish updated guidance for developer users.

United States

US enterprise security teams use 1Password for secrets management; the breach renewed debate about endpoint security controls and privilege separation for developer credentials.

United Kingdom

NCSC guidance references password manager use as a baseline hygiene measure; the GitHub incident showed that compromised endpoints can bypass vault encryption regardless of product quality.