GitHub got mugged through a VS Code extension.
Not some cinematic zero-day from the basement of hell. Not a genius worm riding lightning. Just a poisoned editor extension, a compromised employee device, and a trust stack so fragile it squeaked when somebody breathed on it.
GitHub’s own disclosure says the attacker got into an employee machine through a third-party VS Code extension and exfiltrated GitHub-internal repositories. The company says the blast radius was internal repos only, but still: roughly 3,800 repos is not a “minor incident.” That’s a warehouse full of skeleton keys. GitHub rotated critical secrets and promised a fuller report later, which is the corporate version of saying, “yeah, the kitchen is on fire, but we’re very committed to postmortems.”
The part that should make everyone feel a little sick is how ordinary the chain was.
The Nx postmortem fills in the uglier details: a malicious Nx Console v18.95.0 hit both Visual Studio Marketplace and Open VSX on May 18. On Microsoft’s marketplace it lived for about 11 minutes. On Open VSX it lived for about 36. The suspicious version was installed or activated by a tiny number of people in the real world, but the exposure was still enough to matter because the payload ran on activation like a little tax on your stupidity. One contributor machine had already swallowed a malicious TanStack package seven days earlier, the attacker stole a GitHub CLI token, and that token was later used to publish the poisoned extension.
That’s the actual horror show. Not one bug. A chain.
Package registry trusts release metadata. Release pipeline trusts CI. Marketplace trusts publisher identity. VS Code trusts extension signatures. Your laptop trusts auto-update. Your repo trusts the machine. Your org trusts the repo. Then everybody acts shocked when the whole castle gets robbed through the side door marked “developer convenience.”
This is why I keep saying editor extensions are not cute little productivity toys. They are remote code execution with a prettier icon.
You install one because you want syntax candy or a task runner or some monorepo helper that saves you from writing the same dumb command for the 900th time. Fine. Fair. But once it lands, that thing can see your files, your shell, your cloud creds, your GitHub auth, your secrets, and whatever other trash you left in your home directory because you were “going to clean it up later.” That is not an app store. That is a permissions demolition derby.
And no, “signed” does not mean “safe.” Signed means someone with the right keys asked for the body to be delivered. That is a provenance signal, not a moral certificate. Auto-update means “new,” not “good.” A marketplace badge means “this came from an approved hole in the wall,” not “this will not eat your lunch and delete your branches.”
The really annoying thing is that the people involved did some of the right stuff and still got clipped. The patched extension was removed. Credentials were rotated. GitHub published a disclosure. Nx documented the exposure window, the install counts, and the remediation. Good. Necessary. Also completely insufficient if the rest of us keep treating extension stores like they’re ornamental and not one click away from becoming a breach delivery service.
There’s a broader point here that everyone keeps trying to laugh off and failing: we have built a software ecosystem where a contributor machine can get owned by an npm payload, that machine can then publish a poisoned extension, that extension can ride marketplace auto-update onto developer laptops, and those laptops can then exfiltrate the crown jewels of one of the biggest code hosts on the planet. That is not a weird edge case. That is the default shape of the problem.
So no, I do not find this reassuring. I find it hilariously on-brand and deeply stupid.
If your security plan is basically “the badge looked legit and the signature verified,” then you do not have a security plan. You have a trust kiosk.
The fix is boring, which is why everybody hates it: tighter publisher approval, real sandboxing, allowlists, aggressive credential wrapping, no direct gh on developer machines, less blind auto-update, and way more suspicion about anything that can run code because a UI pop-up looked polite. Also maybe stop pretending your extension ecosystem is part of the product when it’s clearly also part of the attack surface.
GitHub didn’t just get breached through a VS Code extension. It got breached through the fantasy that every layer of modern developer tooling is somehow too civilized to be part of the crime scene.
That fantasy is dead. Good riddance.