14JUN

GitHub's own code cloned via add-on

4 min read

11:51UTC

A poisoned Nx Console extension sat on the VS Code Marketplace for 18 minutes, long enough for UNC6780 to steal one GitHub developer's tokens and clone roughly 3,800 internal repositories.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A marketplace add-on live for 18 minutes was enough to clone 3,800 of GitHub's internal repositories.

A trojanised build of the Nx Console extension for Microsoft's Visual Studio Code (version 18.95.0) went live on the Visual Studio Marketplace at 12:30 UTC on Monday 18 May 2026 and was pulled 18 minutes later ¹. Nx Console is a widely used add-on for managing Nx monorepo build toolchains. A GitHub employee installed it inside that window. On startup the extension ran a shell command that pulled a hidden payload from a planted commit on the official nrwl/Nx repository, then harvested secrets from the machine: 1Password vaults, Claude Code configuration, and npm, GitHub and AWS tokens ².

With those tokens the attacker, self-identifying as TeamPCP and tracked by the Google Threat Intelligence Group as UNC6780, cloned around 3,800 of GitHub's own internal private repositories and listed the haul for sale at $50,000 and up ³. GitHub confirmed the incident on 19 and 20 May and assessed that customer repositories, enterprise accounts and user data were not affected.

The trust boundary that failed is the editor's implicit permission to run code on install. Endpoint detection and response, the agent that watches laptops for malware, was never installed inside the code editor, and the network edge never watched it either. The trusted tool ran with the developer's own privileges, which is why one install swept up cloud tokens, a password manager vault and a code-assistant config at once. UNC6780 is the same cluster that cloned 300-plus Cisco repositories a fortnight earlier and part of the wider wave that hit SAP's npm packages, OpenVSX extensions and PyPI . The climb is deliberate: from a malicious package sitting in a registry, to a vendor's source, to the registry operator's own estate.

CISA added the underlying flaw, CVE-2026-48027 in Nx Console, to its Known Exploited Vulnerabilities catalogue on Wednesday 27 May, and issued Alert AA26-148A on Thursday 28 May ⁴. Extension allow-listing, and the question of how long a malicious build can sit in a marketplace before takedown, are now first-order controls rather than housekeeping.

Deep Analysis

In plain English

Visual Studio Code is the text editor most software developers use to write code. It supports small add-on programmes called extensions, installed in one click from an official marketplace run by Microsoft. Extensions run inside the editor with the same permissions as the developer's own account. On 18 May 2026, attackers published a corrupted version of a popular extension called Nx Console. When a developer at GitHub installed it, the extension quietly read every password and access token stored on that machine, including the keys to GitHub's own private code repositories, and sent them to the attackers. The attackers then used those keys to copy about 3,800 of GitHub's internal private code repositories before anyone noticed. CISA, the US government's cyber agency, formally listed the flaw on 27 May and set a 4 June patch deadline. GitHub confirmed on 19 May that no customer repositories or user data were accessed. The attack worked because the extension marketplace does not require publishers to prove that a new version came from their own verified build pipeline.

Deep Analysis

Root Causes

The VS Code Marketplace lacks mandatory code-signing or SLSA provenance attestation for extension releases. A publisher token, which controls the right to push new versions, is the only gate between a threat actor and 50,000-plus extensions reaching millions of developer workstations. Token theft via a supply-chain CVE upstream (in this case the Trivy CVE-2026-33634 credential harvest in March 2026 attributed to UNC6780) is sufficient to bypass every downstream content control.

IDE extensions run at install time with the full privileges of the developer's shell session. On a developer workstation, that session typically holds tokens for cloud providers, code repositories, password managers, and AI coding assistants simultaneously.

CISA Alert AA26-148A noted that the stolen credential set covered AWS, GitHub, npm, 1Password, and Claude Code configuration, a cross-platform credential harvest that would otherwise require four separate phishing campaigns. The trust model of the IDE runtime does not distinguish between a legitimate extension initialising its build toolchain and a malicious extension reading the entire credential store.

Microsoft verifies publisher identity once at Marketplace registration but does not re-verify each release submission against a signing key anchored to the publisher's build pipeline. Any subsequent version push requires only the matching publisher token, nothing more. This gap predates VS Code and persists because requiring pipeline-anchored signing would break the workflow of the roughly 50,000 community extensions published by solo developers who do not have reproducible CI pipelines.

Escalation

UNC6780 has now moved from poisoning package contents (SAP npm, March 2026) to cloning a vendor's source (Cisco, 11 May) to breaching the internal estate of the marketplace operator itself. Each step increases the attacker's access to future supply-chain leverage. The CISA KEV addition and AA26-148A alert represent the US government treating this as a live infrastructure threat rather than a vendor incident.

What could happen next?

Risk
UNC6780 now holds approximately 3,800 GitHub internal repositories whose contents may include further credential material, internal tooling, and infrastructure configuration that could enable follow-on attacks.
Short term · Assessed
Precedent
CISA Alert AA26-148A establishes the federal government's position that IDE extension allow-listing by hash is a required control for federal developer workstations, a standard that large private-sector contractors working on government programmes will be expected to adopt.
Medium term · Assessed
Opportunity
The incident accelerates commercial demand for SLSA-compliant build attestation and extension-signing tooling from vendors including StepSecurity, OX Security, and Chainguard, whose products address the publisher-verification gap the attack exploited.
Short term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The April 2024 XZ Utils backdoor followed an almost identical structural path: a trusted open-source maintainer account was socially engineered over two years, malicious code was committed to a widely-depended-upon package, and the payload fetched a second stage at install time.

The key difference is that the XZ Utils compromise targeted a system-level compression library running as a privileged daemon, while Nx Console v18.95.0 targeted developer-workstation context, meaning the stolen artefacts were developer secrets rather than SSH keys.

Counter-parallel: The 2022 Codecov bash-uploader incident followed a different distribution path: attackers modified a hosted script rather than a versioned package, so the poisoned file was served to every CI pipeline that ran curl on the canonical URL. That incident exposed environment variables for roughly 29,000 customers before discovery.

Nx Console's 18-minute exposure window and single-developer installation produced a narrower victim count but higher per-victim yield, illustrating that dwell time and install count are not the primary blast-radius determinants when the target is a highly privileged developer at an infrastructure provider.

Consensus view: StepSecurity's 2024 research on VS Code Marketplace publisher verification found that any account holding a matching publisher token can push a new extension version without code-review gates, and that the marketplace's automated malware scan uses static signatures that miss obfuscated loaders.

Sophos's post-incident analysis of the Nx Console payload confirmed the malicious build fetched its second-stage script from the legitimate nrwl/Nx GitHub repository at install time, a technique that defeats both the marketplace scanner and most EDR tools because the outbound request looks like a normal developer-tooling initialisation.

Counter-view: OX Security's supply-chain research team argues that publisher-token theft, not a Marketplace design flaw, is the proximate cause: the same publisher-verification gap exists on npm and PyPI, and all three registries have declined to implement mandatory commit signing or SLSA provenance attestation on the grounds that build-pipeline diversity makes universal enforcement impractical. From this perspective, blaming the Marketplace model misframes where the actual control gap sits.

Key tension: Whether the structural fix for IDE extension trust sits at the registry layer (mandatory SLSA Level 3 attestation per extension release, as OX Security recommends) or at the enterprise deployment layer (allow-listing extensions by hash in VS Code's settings.json, as GTIG's AA26-148A advisory recommends for federal civilian agencies), since both addresses the same gap from opposite ends of the distribution chain.

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026

Read original →

Causes and effects

Caused by

UNC6780 takes Cisco AI Defense source code

UNC6780 escalated from cloning 300+ Cisco repositories to breaching GitHub's own internal estate, climbing the supply chain from a vendor's source to the registry operator itself.

Occurred 11 May 2026

Read story →

Three supply-chain hits in thirteen days

The GitHub internal repository breach is the latest step in the same supply-chain wave that hit SAP npm packages, OpenVSX extensions and PyPI in the prior fortnight.

Occurred 29 Apr 2026

Read story →

This Event

GitHub's own code cloned via add-on

The actor has climbed from poisoning package contents to stealing source from a vendor to cloning the registry operator's own internal estate.

Led to

Attack worm kit now open-sourced freely

UNC6780's GitHub repository breach via the poisoned Nx Console extension established the supply-chain arc; the Shai-Hulud open-source release and Phantom Gyp variant are the next escalation of the same threat cluster's capability.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.