11-minute malicious VS Code plugin takes down employee computers, GitHub admits 3,800 internal repositories stolen.

ME News - According to Beating monitoring on May 20 (UTC+8), GitHub officially released a security investigation notice, confirming that an employee's device was infected with a poisoned VS Code extension, leading to unauthorized access to its internal code repositories.

The attacker claimed to have packaged and stolen approximately 3,800 internal GitHub repositories. GitHub acknowledged that this claim is consistent with the current investigation findings.

The malicious extension in question was Nx Console (version 18.95.0), a well-known extension briefly listed on the Microsoft Visual Studio Code marketplace on May 18.

The attacker obtained publishing permissions by stealing a contributor's token and pushed a malicious version containing a credential stealer to the marketplace.

Although the Nx team detected the anomaly and removed this version within 11 minutes, a GitHub employee still downloaded it during that period and fell victim.

This malicious payload automatically reads the host's Git credentials, VS Code extension storage, AWS keys, and sensitive 1Password data in the background.

These credentials allowed external attackers to bypass perimeter security barriers and directly package and steal GitHub's internal code base.

GitHub stated that it detected and contained this device intrusion on May 19.

To mitigate risk, the security team urgently rotated all critical keys yesterday and overnight, prioritizing high-value credentials.

The team is currently continuously analyzing logs and monitoring subsequent activity, with a full report to be released after the investigation concludes.

(Source: BlockBeats)