GitHub Breached: Supply Chain Attack on Nx Console Compromises Internal Repos

/MEDIUM
Written by SCW Threat Desk Threat Intelligence
SCW malwaretools
GitHub Breached: Supply Chain Attack on Nx Console Compromises Internal Repos

LΣҒΔ𝕽ΩLL 🇮🇱 reports that GitHub recently experienced a significant breach, confirming an employee was compromised via a malicious version of Nx Console for VS Code. This tainted version was published to the VS Code Marketplace following a supply chain attack targeting Nx. The incident highlights the acute risks of developer tooling and the software supply chain.

The attack window was remarkably brief—approximately 18 minutes. Yet, in that short span, attackers successfully deployed a stealer to developer machines, including those in sensitive environments. GitHub confirmed the theft of around 3,800 internal repositories. LΣҒΔ𝕽ΩLL 🇮🇱 notes that while these were not customer repositories, they did contain GitHub’s internal code, with some potentially including segments from customer support interactions.

This incident underscores how quickly a focused adversary can leverage a supply chain compromise to achieve deep access. Even a short window is more than enough for initial access and data exfiltration when targeting developers with privileged access to internal systems and codebases. The attacker’s calculus here was precise: hit the developer tools, and the rest follows.

What This Means For You

  • If your organization uses VS Code extensions, especially those with broad system access like developer consoles, you need to scrutinize your supply chain. Immediately audit developer machines for signs of compromise and ensure all extensions are sourced from trusted, verified channels. Consider implementing strict code signing and integrity checks for all internal and third-party developer tools. Assume any internal code exposed could aid future attacks, even if it's not direct customer data.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Supply Chain Compromise: Malicious Nx Console Extension Installation

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Threat Desk

Take action on this incident
📡 Monitor github.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on GitHub All breaches, IOCs & vendor exposure

Related coverage on GitHub

Ubiquiti Patches Three Max Severity UniFi OS Vulnerabilities

Ubiquiti has rolled out critical security updates addressing three maximum severity vulnerabilities in UniFi OS. BleepingComputer reports these flaws, tracked as CVE-2023-48092, CVE-2023-48093, and CVE-2023-48094,...

threat-inteldata-breachmalwarevulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 1 Sigma

ROADtools Misused by Nation-States in Cloud Intrusions

Palo Alto Unit 42 reports that the open-source framework ROADtools is being actively misused by threat actors, including nation-state groups, to facilitate cloud intrusions. This...

threat-intelAPTmalwareresearchcloudtools
/SCW Research /HIGH

Showboat Linux Malware Targets Middle East Telecom with SOCKS5 Proxy

The Hacker News reports that a new Linux malware, named Showboat, has been actively deployed since mid-2022. This modular post-exploitation framework is designed to compromise...

threat-intelvulnerabilitymalwaretools
/SCW Vulnerability Desk /HIGH /⚑ 5 IOCs