OrganisationGB

Sophos

UK-headquartered cybersecurity vendor providing endpoint, network, and email security products; published technical analysis of the Nx Console supply-chain attack.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How did Sophos link the Nx Console attack to the GitHub repository breach?

Timeline for Sophos

#518 May

GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What did Sophos find about the GitHub Nx Console attack?: Sophos X-Ops published analysis showing the trojanised Nx Console extension (v18.95.0) harvested developer secrets and cloned approximately 3,800 GitHub internal repositories in May 2026.Source: Sophos X-Ops
Who owns Sophos?: Sophos has been owned by private equity firm Thoma Bravo since 2019, when it was taken private from the London Stock Exchange.Source: Sophos corporate
Where is Sophos headquartered?: Sophos is headquartered in Abingdon, Oxfordshire, UK, and was founded there in 1985.Source: Sophos corporate
What products does Sophos make?: Sophos produces endpoint detection and response (EDR), network firewalls, managed detection and response (MDR), and cloud security tools, serving roughly 600,000 organisations worldwide.Source: Sophos corporate

Background

Sophos stepped into the spotlight in May 2026 when its threat-intelligence team published analysis of the trojanised Nx Console extension attack (CVE-2026-48027), in which an infected Visual Studio Code ADD-on harvested developer secrets including 1Password vaults and GitHub tokens from a GitHub employee's machine and exfiltrated approximately 3,800 private repositories. The incident highlighted both supply-chain risks in developer tooling ecosystems and the speed with which attackers can weaponise marketplace distribution channels.

Founded in 1985 in Abingdon, Oxfordshire, Sophos builds endpoint detection and response (EDR), network firewalls, managed detection and response (MDR), and cloud security products. The company serves roughly 600,000 organisations worldwide, including a large share of the mid-market. Private equity firm Thoma Bravo acquired Sophos in 2019 and took it private; a proposed acquisition by Broadcom was discussed but did not proceed. Sophos X-Ops is its combined threat-intelligence and research unit, regularly publishing adversary-tracking reports.

Sophos is headquartered in the UK, giving it dual standing in both the NCSC-aligned British cyber ecosystem and the broader transatlantic threat-intelligence community. Its MDR service means it holds telemetry from a large installed base, giving its research an empirical grounding that informs both government advisories and private-sector patching prioritisation.

Source Material

Sophos – Wikipedia Sophos official website

How the World Sees Them

United States

US federal agencies rely on Sophos MDR telemetry to validate CISA KEV listings; the GitHub incident analysis supported CISA Alert AA26-148A issued on 28 May 2026.

European Union

European CERTs reference Sophos X-Ops reporting as a non-state technical authority; ENISA has cited Sophos data in its annual threat landscape assessments.

United Kingdom

Sophos is a flagship UK cyber-security success story and its research feeds directly into NCSC advisories; the GitHub breach analysis reinforced British vendor credibility in supply-chain threat intelligence.