GitHub Confirms Breach of Thousands of Internal Repositories via Poisoned VS Code Extension

Microsoft-owned GitHub disclosed in May 2026 that attackers compromised an employee device through a malicious version of the Nx Console VS Code extension, gaining access to thousands of internal repositories.

The poisoned extension was a modified version of a legitimate developer tool. Attackers distributed it through channels used by developers, and at least one GitHub employee installed it on a work device. The short-lived malicious version gave attackers access before it was detected and removed.

Security researchers linked the incident to a broader supply chain attack targeting developer tools and open-source ecosystems. The Hacker News reported that similar attacks have targeted other popular VS Code extensions in recent months.

GitHub said it has notified affected teams and is reviewing what data may have been accessed. The company did not disclose whether customer data was involved.

The incident follows a separate breach disclosed earlier in 2026 in which attackers poisoned VS Code extensions to compromise GitHub repositories. Security experts say developer toolchains have become a primary target for sophisticated threat actors because a single compromised tool can give attackers access to many downstream systems.

The U.S. and Canadian authorities also arrested a Canadian man in May 2026 accused of operating the KimWolf DDoS botnet, which allegedly infected nearly two million devices worldwide, in a separate but related cybersecurity development.