
Sophos
UK-headquartered cybersecurity vendor providing endpoint, network, and email security products; published technical analysis of the Nx Console supply-chain attack.
Last refreshed: 29 May 2026 · Appears in 1 active topic
How did Sophos link the Nx Console attack to the GitHub repository breach?
Timeline for Sophos
GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesWhat did Sophos find about the GitHub Nx Console attack?
Who owns Sophos?
Where is Sophos headquartered?
Background
Sophos stepped into the spotlight in May 2026 when its threat-intelligence team published analysis of the trojanised Nx Console extension attack (CVE-2026-48027), in which an infected Visual Studio Code ADD-on harvested developer secrets including 1Password vaults and GitHub tokens from a GitHub employee's machine and exfiltrated approximately 3,800 private repositories. The incident highlighted both supply-chain risks in developer tooling ecosystems and the speed with which attackers can weaponise marketplace distribution channels.
Founded in 1985 in Abingdon, Oxfordshire, Sophos builds endpoint detection and response (EDR), network firewalls, managed detection and response (MDR), and cloud security products. The company serves roughly 600,000 organisations worldwide, including a large share of the mid-market. Private equity firm Thoma Bravo acquired Sophos in 2019 and took it private; a proposed acquisition by Broadcom was discussed but did not proceed. Sophos X-Ops is its combined threat-intelligence and research unit, regularly publishing adversary-tracking reports.
Sophos is headquartered in the UK, giving it dual standing in both the NCSC-aligned British cyber ecosystem and the broader transatlantic threat-intelligence community. Its MDR service means it holds telemetry from a large installed base, giving its research an empirical grounding that informs both government advisories and private-sector patching prioritisation.