Visual Studio Marketplace

The Visual Studio Marketplace became the vector for the May 2026 GitHub supply-chain breach when a trojanised build of the Nx Console extension (v18.95.0) was live on the platform for 18 minutes on 18 May 2026. During that window a GitHub employee installed the malicious version; it harvested developer secrets including 1Password vaults, GitHub tokens, AWS credentials and Claude Code configuration, and used them to clone approximately 3,800 GitHub internal private repositories. The incident exposed a publisher-verification gap in the Marketplace's extension-signing and Integrity-check pipeline.

The Visual Studio Marketplace is Microsoft's official distribution channel for extensions to Visual Studio Code, Visual Studio, and Azure DevOps. Launched in 2015 alongside VS Code, it hosts more than 50,000 extensions and serves hundreds of millions of downloads. Publishers upload extension packages; Microsoft runs automated scans but historically has not required cryptographic signing of every release or enforced two-person release approval. The VSIX package format used by VS Code extensions does not carry a mandatory code-signing chain anchored to the publisher's verified identity.

The 18-minute live window — brief enough to evade automated takedown but long enough for one high-value target to install — is consistent with supply-chain attack patterns seen in npm and PyPI poisoning campaigns. The incident accelerated internal Microsoft discussions about mandatory publisher signing and real-time Integrity verification for VS Code extensions, and CISA added CVE-2026-48027 (Nx Console) to KEV on 27 May 2026.