How did Nx Console compromise GitHub repos?

How a malicious VS Code extension enabled the access

GitHub’s investigation centers on what happened on an employee’s machine: a malicious VS Code extension (described in the reporting as an Nx Console extension) was installed and used to reach GitHub’s internal repositories. Once that extension executed, it provided the attackers a foothold into GitHub’s internal code hosting environment.

What the chain of events looked like

Based on the details provided, the attack followed a developer-workflow pattern:

• A developer installed a VS Code extension that was later found to be compromised.
• The extension allowed unauthorized access to GitHub systems.
• Attackers exfiltrated data from approximately 3,800 internal repositories.

Why this is hard to stop

The key issue is that the compromise happened in the software development environment, not at the perimeter. Even strong firewall and network controls may not prevent a malicious tool from making legitimate requests once it runs with the user’s context.

Why it connects to npm supply-chain activity

GitHub additionally linked the breach to the TanStack npm supply-chain attack. That linkage matters because it signals a coordinated strategy: compromise common software supply routes (like npm packages and developer extensions) to scale intrusion across many targets.

What “access” means here

The reporting indicates GitHub treated the incident as unauthorized access leading to data theft. It did not provide further technical details about exactly what commands the extension ran or which internal APIs were targeted, but the outcome was clear: attackers reached internal repository data.

For developers, the lesson is operational: IDE extensions can be as sensitive as production dependencies. For security teams, it underscores the need to monitor extension installs, restrict what can be installed, and watch for unusual repository access patterns tied to developer endpoints.