
1Password
Popular enterprise and consumer password manager; developer vaults were harvested by the malicious Nx Console extension.
Last refreshed: 29 May 2026 · Appears in 1 active topic
How were 1Password vaults stolen in the Nx Console supply-chain attack?
Timeline for 1Password
GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesWas 1Password hacked in the GitHub Nx Console breach?
How does 1Password protect secrets from malware?
Background
1Password vaults were among the developer credentials harvested during the May 2026 Nx Console supply-chain attack. A trojanised build of the Nx Console Visual Studio Code extension (v18.95.0) remained live on the Visual Studio Marketplace for 18 minutes on 18 May 2026; when a GitHub employee installed it, the malicious payload exfiltrated 1Password vault contents alongside GitHub tokens, npm tokens and AWS credentials. The incident raised questions about the security model of browser-integrated password managers when the host machine is compromised.
1Password is made by AgileBits, founded in 2005 in Toronto, Canada. The product stores passwords, SSH keys, API tokens, and secret notes in end-to-end encrypted vaults, with the master password never leaving the user's device in the standard configuration. AgileBits raised $620 million in a Series c round in 2022 at a $6.8 billion valuation, led by ICONIQ Growth, making it one of the largest private rounds for a pure-play security company. The product has an active developer audience via its 1Password Secrets Automation and 1Password CLI tools, which integrate with CI/CD pipelines.
1Password's presence in developer supply-chain compromises reflects both the product's ubiquity in technical teams and an attacker calculus that treats developer machine credentials as a high-value pivot point. The company has published developer security guidance in response to supply-chain incidents, and the 2026 GitHub breach prompted renewed debate about hardware-key-backed vault access as a mitigation.