29MAY

GitHub's own code cloned via add-on

4 min read

14:17UTC

A poisoned Nx Console extension sat on the VS Code Marketplace for 18 minutes, long enough for UNC6780 to steal one GitHub developer's tokens and clone roughly 3,800 internal repositories.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A marketplace add-on live for 18 minutes was enough to clone 3,800 of GitHub's internal repositories.

A trojanised build of the Nx Console extension for Microsoft's Visual Studio Code (version 18.95.0) went live on the Visual Studio Marketplace at 12:30 UTC on Monday 18 May 2026 and was pulled 18 minutes later ¹. Nx Console is a widely used add-on for managing Nx monorepo build toolchains. A GitHub employee installed it inside that window. On startup the extension ran a shell command that pulled a hidden payload from a planted commit on the official nrwl/Nx repository, then harvested secrets from the machine: 1Password vaults, Claude Code configuration, and npm, GitHub and AWS tokens ².

With those tokens the attacker, self-identifying as TeamPCP and tracked by the Google Threat Intelligence Group as UNC6780, cloned around 3,800 of GitHub's own internal private repositories and listed the haul for sale at $50,000 and up ³. GitHub confirmed the incident on 19 and 20 May and assessed that customer repositories, enterprise accounts and user data were not affected.

The trust boundary that failed is the editor's implicit permission to run code on install. Endpoint detection and response, the agent that watches laptops for malware, was never installed inside the code editor, and the network edge never watched it either. The trusted tool ran with the developer's own privileges, which is why one install swept up cloud tokens, a password manager vault and a code-assistant config at once. UNC6780 is the same cluster that cloned 300-plus Cisco repositories a fortnight earlier and part of the wider wave that hit SAP's npm packages, OpenVSX extensions and PyPI . The climb is deliberate: from a malicious package sitting in a registry, to a vendor's source, to the registry operator's own estate.

CISA added the underlying flaw, CVE-2026-48027 in Nx Console, to its Known Exploited Vulnerabilities catalogue on Wednesday 27 May, and issued Alert AA26-148A on Thursday 28 May ⁴. Extension allow-listing, and the question of how long a malicious build can sit in a marketplace before takedown, are now first-order controls rather than housekeeping.

Deep Analysis

In plain English

Visual Studio Code is the text editor most software developers use to write code. It supports small add-on programmes called extensions, installed in one click from an official marketplace run by Microsoft. Extensions run inside the editor with the same permissions as the developer's own account. On 18 May 2026, attackers published a corrupted version of a popular extension called Nx Console. When a developer at GitHub installed it, the extension quietly read every password and access token stored on that machine, including the keys to GitHub's own private code repositories, and sent them to the attackers. The attackers then used those keys to copy about 3,800 of GitHub's internal private code repositories before anyone noticed. CISA, the US government's cyber agency, formally listed the flaw on 27 May and set a 4 June patch deadline. GitHub confirmed on 19 May that no customer repositories or user data were accessed. The attack worked because the extension marketplace does not require publishers to prove that a new version came from their own verified build pipeline.

Deep Analysis

Root Causes

The VS Code Marketplace lacks mandatory code-signing or SLSA provenance attestation for extension releases. A publisher token, which controls the right to push new versions, is the only gate between a threat actor and 50,000-plus extensions reaching millions of developer workstations. Token theft via a supply-chain CVE upstream (in this case the Trivy CVE-2026-33634 credential harvest in March 2026 attributed to UNC6780) is sufficient to bypass every downstream content control.

IDE extensions run at install time with the full privileges of the developer's shell session. On a developer workstation, that session typically holds tokens for cloud providers, code repositories, password managers, and AI coding assistants simultaneously.

CISA Alert AA26-148A noted that the stolen credential set covered AWS, GitHub, npm, 1Password, and Claude Code configuration, a cross-platform credential harvest that would otherwise require four separate phishing campaigns. The trust model of the IDE runtime does not distinguish between a legitimate extension initialising its build toolchain and a malicious extension reading the entire credential store.

Microsoft verifies publisher identity once at Marketplace registration but does not re-verify each release submission against a signing key anchored to the publisher's build pipeline. Any subsequent version push requires only the matching publisher token, nothing more. This gap predates VS Code and persists because requiring pipeline-anchored signing would break the workflow of the roughly 50,000 community extensions published by solo developers who do not have reproducible CI pipelines.

Escalation

UNC6780 has now moved from poisoning package contents (SAP npm, March 2026) to cloning a vendor's source (Cisco, 11 May) to breaching the internal estate of the marketplace operator itself. Each step increases the attacker's access to future supply-chain leverage. The CISA KEV addition and AA26-148A alert represent the US government treating this as a live infrastructure threat rather than a vendor incident.

What could happen next?

Risk
UNC6780 now holds approximately 3,800 GitHub internal repositories whose contents may include further credential material, internal tooling, and infrastructure configuration that could enable follow-on attacks.
Short term · Assessed
Precedent
CISA Alert AA26-148A establishes the federal government's position that IDE extension allow-listing by hash is a required control for federal developer workstations, a standard that large private-sector contractors working on government programmes will be expected to adopt.
Medium term · Assessed
Opportunity
The incident accelerates commercial demand for SLSA-compliant build attestation and extension-signing tooling from vendors including StepSecurity, OX Security, and Chainguard, whose products address the publisher-verification gap the attack exploited.
Short term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The April 2024 XZ Utils backdoor followed an almost identical structural path: a trusted open-source maintainer account was socially engineered over two years, malicious code was committed to a widely-depended-upon package, and the payload fetched a second stage at install time.

The key difference is that the XZ Utils compromise targeted a system-level compression library running as a privileged daemon, while Nx Console v18.95.0 targeted developer-workstation context, meaning the stolen artefacts were developer secrets rather than SSH keys.

Counter-parallel: The 2022 Codecov bash-uploader incident followed a different distribution path: attackers modified a hosted script rather than a versioned package, so the poisoned file was served to every CI pipeline that ran curl on the canonical URL. That incident exposed environment variables for roughly 29,000 customers before discovery.

Nx Console's 18-minute exposure window and single-developer installation produced a narrower victim count but higher per-victim yield, illustrating that dwell time and install count are not the primary blast-radius determinants when the target is a highly privileged developer at an infrastructure provider.

Consensus view: StepSecurity's 2024 research on VS Code Marketplace publisher verification found that any account holding a matching publisher token can push a new extension version without code-review gates, and that the marketplace's automated malware scan uses static signatures that miss obfuscated loaders.

Sophos's post-incident analysis of the Nx Console payload confirmed the malicious build fetched its second-stage script from the legitimate nrwl/Nx GitHub repository at install time, a technique that defeats both the marketplace scanner and most EDR tools because the outbound request looks like a normal developer-tooling initialisation.

Counter-view: OX Security's supply-chain research team argues that publisher-token theft, not a Marketplace design flaw, is the proximate cause: the same publisher-verification gap exists on npm and PyPI, and all three registries have declined to implement mandatory commit signing or SLSA provenance attestation on the grounds that build-pipeline diversity makes universal enforcement impractical. From this perspective, blaming the Marketplace model misframes where the actual control gap sits.

Key tension: Whether the structural fix for IDE extension trust sits at the registry layer (mandatory SLSA Level 3 attestation per extension release, as OX Security recommends) or at the enterprise deployment layer (allow-listing extensions by hash in VS Code's settings.json, as GTIG's AA26-148A advisory recommends for federal civilian agencies), since both addresses the same gap from opposite ends of the distribution chain.

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026

Read original →

Causes and effects

Caused by

UNC6780 takes Cisco AI Defense source code

UNC6780 escalated from cloning 300+ Cisco repositories to breaching GitHub's own internal estate, climbing the supply chain from a vendor's source to the registry operator itself.

Occurred 11 May 2026

Read story →

Three supply-chain hits in thirteen days

The GitHub internal repository breach is the latest step in the same supply-chain wave that hit SAP npm packages, OpenVSX extensions and PyPI in the prior fortnight.

Occurred 29 Apr 2026

Read story →

This Event

GitHub's own code cloned via add-on

The actor has climbed from poisoning package contents to stealing source from a vendor to cloning the registry operator's own internal estate.

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.