11-minute VS Code malicious plugin takes down employee computers, GitHub admits 3,800 internal repositories stolen.

ME News. On May 20 (UTC+8), according to Beating monitoring, GitHub officially released a security investigation notice, confirming that an employee’s device was infected with a poisoned VS Code plugin, which led to unauthorized access to its internal code repositories. The attacker claimed to have packaged and stolen about 3,800 of GitHub’s internal repositories, and the official acknowledged that this claim is generally consistent with the direction of the current investigation results.

The malicious plugin in question was the well-known extension Nx Console (version 18.95.0), which was briefly listed on the Microsoft Visual Studio Code marketplace on May 18. The attacker obtained publishing permissions by stealing contributor tokens and pushed a malicious version containing a credential stealer to the app marketplace. Although the Nx team detected the anomaly and pulled this version within 11 minutes, there were still GitHub employees who downloaded it and were compromised during that period.

In the background, this malicious payload automatically reads the host’s Git credentials, VS Code extension storage, AWS keys, and sensitive data from 1Password. With this set of credentials, external attackers were able to bypass perimeter security controls and directly package and steal GitHub’s internal codebase. GitHub stated that it detected and contained this device intrusion on May 19. To reduce risk, the security team urgently rotated all critical keys during yesterday and overnight, and prioritized high-value credentials. The team is currently continuing to analyze logs and monitor subsequent activity, and the full report will be released after the investigation concludes.

(Source: BlockBeats)