Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

GitHub's own code cloned via add-on

4 min read
11:00UTC

A poisoned Nx Console extension sat on the VS Code Marketplace for 18 minutes, long enough for UNC6780 to steal one GitHub developer's tokens and clone roughly 3,800 internal repositories.

TechnologyDeveloping
Key takeaway

A marketplace add-on live for 18 minutes was enough to clone 3,800 of GitHub's internal repositories.

A trojanised build of the Nx Console extension for Microsoft's Visual Studio Code (version 18.95.0) went live on the Visual Studio Marketplace at 12:30 UTC on Monday 18 May 2026 and was pulled 18 minutes later 1. Nx Console is a widely used add-on for managing Nx monorepo build toolchains. A GitHub employee installed it inside that window. On startup the extension ran a shell command that pulled a hidden payload from a planted commit on the official nrwl/Nx repository, then harvested secrets from the machine: 1Password vaults, Claude Code configuration, and npm, GitHub and AWS tokens 2.

With those tokens the attacker, self-identifying as TeamPCP and tracked by the Google Threat Intelligence Group as UNC6780, cloned around 3,800 of GitHub's own internal private repositories and listed the haul for sale at $50,000 and up 3. GitHub confirmed the incident on 19 and 20 May and assessed that customer repositories, enterprise accounts and user data were not affected.

The trust boundary that failed is the editor's implicit permission to run code on install. Endpoint detection and response, the agent that watches laptops for malware, was never installed inside the code editor, and the network edge never watched it either. The trusted tool ran with the developer's own privileges, which is why one install swept up cloud tokens, a password manager vault and a code-assistant config at once. UNC6780 is the same cluster that cloned 300-plus Cisco repositories a fortnight earlier and part of the wider wave that hit SAP's npm packages, OpenVSX extensions and PyPI . The climb is deliberate: from a malicious package sitting in a registry, to a vendor's source, to the registry operator's own estate.

CISA added the underlying flaw, CVE-2026-48027 in Nx Console, to its Known Exploited Vulnerabilities catalogue on Wednesday 27 May, and issued Alert AA26-148A on Thursday 28 May 4. Extension allow-listing, and the question of how long a malicious build can sit in a marketplace before takedown, are now first-order controls rather than housekeeping.

Deep Analysis

In plain English

Visual Studio Code is the text editor most software developers use to write code. It supports small add-on programmes called extensions, installed in one click from an official marketplace run by Microsoft. Extensions run inside the editor with the same permissions as the developer's own account. On 18 May 2026, attackers published a corrupted version of a popular extension called Nx Console. When a developer at GitHub installed it, the extension quietly read every password and access token stored on that machine, including the keys to GitHub's own private code repositories, and sent them to the attackers. The attackers then used those keys to copy about 3,800 of GitHub's internal private code repositories before anyone noticed. CISA, the US government's cyber agency, formally listed the flaw on 27 May and set a 4 June patch deadline. GitHub confirmed on 19 May that no customer repositories or user data were accessed. The attack worked because the extension marketplace does not require publishers to prove that a new version came from their own verified build pipeline.

Deep Analysis
Root Causes

The VS Code Marketplace lacks mandatory code-signing or SLSA provenance attestation for extension releases. A publisher token, which controls the right to push new versions, is the only gate between a threat actor and 50,000-plus extensions reaching millions of developer workstations. Token theft via a supply-chain CVE upstream (in this case the Trivy CVE-2026-33634 credential harvest in March 2026 attributed to UNC6780) is sufficient to bypass every downstream content control.

IDE extensions run at install time with the full privileges of the developer's shell session. On a developer workstation, that session typically holds tokens for cloud providers, code repositories, password managers, and AI coding assistants simultaneously.

CISA Alert AA26-148A noted that the stolen credential set covered AWS, GitHub, npm, 1Password, and Claude Code configuration, a cross-platform credential harvest that would otherwise require four separate phishing campaigns. The trust model of the IDE runtime does not distinguish between a legitimate extension initialising its build toolchain and a malicious extension reading the entire credential store.

Microsoft verifies publisher identity once at Marketplace registration but does not re-verify each release submission against a signing key anchored to the publisher's build pipeline. Any subsequent version push requires only the matching publisher token, nothing more. This gap predates VS Code and persists because requiring pipeline-anchored signing would break the workflow of the roughly 50,000 community extensions published by solo developers who do not have reproducible CI pipelines.

Escalation

UNC6780 has now moved from poisoning package contents (SAP npm, March 2026) to cloning a vendor's source (Cisco, 11 May) to breaching the internal estate of the marketplace operator itself. Each step increases the attacker's access to future supply-chain leverage. The CISA KEV addition and AA26-148A alert represent the US government treating this as a live infrastructure threat rather than a vendor incident.

What could happen next?
  • Risk

    UNC6780 now holds approximately 3,800 GitHub internal repositories whose contents may include further credential material, internal tooling, and infrastructure configuration that could enable follow-on attacks.

    Short term · Assessed
  • Precedent

    CISA Alert AA26-148A establishes the federal government's position that IDE extension allow-listing by hash is a required control for federal developer workstations, a standard that large private-sector contractors working on government programmes will be expected to adopt.

    Medium term · Assessed
  • Opportunity

    The incident accelerates commercial demand for SLSA-compliant build attestation and extension-signing tooling from vendors including StepSecurity, OX Security, and Chainguard, whose products address the publisher-verification gap the attack exploited.

    Short term · Assessed
First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.