On May 19, 2026, GitHub disclosed that a threat actor cloned roughly 3,800 of its internal repositories after compromising a developer employee's workstation through a trojanized VS Code extension.
The attack chain started earlier that week, when a TanStack npm package was compromised to steal credentials from a developer who maintains the Nx open-source project. Those credentials included the Nx developer's VS Code Marketplace publishing account. On May 18, the attackers published version 18.95.0 of Nx Console, a widely used VS Code extension. The trojanized version was live on the marketplace for 18 minutes, from 12:30 to 12:48 PM UTC, before it was removed.
The Hacker News reported that the extension ran a shell command on startup that fetched a hidden payload from a planted commit in the legitimate nrwl/nx GitHub repository. That payload targeted credential stores: 1Password vaults, GitHub tokens, npm tokens, AWS credentials, and Anthropic Claude Code configurations. At least one GitHub engineer installed the malicious version during the 18-minute window. TeamPCP used the harvested GitHub credentials to clone the internal repositories, then partnered with LAPSUS$ to offer the stolen code for sale at $95,000. The breach was assigned CVE-2026-48027. GitHub confirmed that customer repositories, enterprise accounts, and user data were not part of the exfiltration. OpenAI and Grafana were also reported to be affected through the same extension vector.
Two aspects of the technical reporting are worth examining.
What scanners would have missed
The entry point for this breach was a dependency in an open-source developer's publishing workflow. A static analysis scan of GitHub's own codebase would not have reached it.
This is the core limitation of single-scope security reviews. SAST covers code the customer owns and controls. It does not model the dependency graph of the developer tools those engineers run. Nx Console was not software GitHub built. It was software GitHub engineers used. The difference is invisible to a scanner that starts at the repository boundary.
Consider what a CVSS triage produces on the individual components in this chain:
- A compromised npm package in an upstream developer's workflow: medium severity at most. The blast radius looks limited until you understand it leads to a VS Marketplace publishing account.
- A VS Code extension that runs a shell command on startup: not a vulnerability finding. That is standard extension behavior.
- Credential stores accessible from extension processes: the VS Code extension model does not sandbox extensions from reading system credential managers. This is a documented design constraint of the VS Code architecture, not a CVE.
None of those components earns a critical finding in isolation. Together, they form a path from a single compromised npm package to an authenticated GitHub token and 3,800 internal repositories. A triage process that scores each finding independently will not surface that chain.
What Sekura would have shown
Sekura's recon phase maps the attack surface from the outside in. For an organization at GitHub's threat level, that surface includes the developer trust layer: which extensions are deployed across the engineering environment, which credential stores are reachable from extension processes, and whether extension updates are applied without integrity checks against prior published versions.
On this target, we would identify that VS Code extensions auto-update by default with no signature verification comparing the new release to the previous state. We would enumerate the publishing accounts associated with extensions installed across the engineering team. That enumeration is how the Nx Console publisher account enters the threat model.
The exploit-chain analysis phase would then trace the full path: initial compromise of an upstream npm package, lateral move through the extension publishing surface, credential harvest from the developer workstation, and authenticated repository access at scale. We would not report a standalone medium-severity CVE. We would report the chain, with a working access token as the proof artifact.
I think that framing is where proof-first analysis changes what gets acted on. A "compromised upstream npm dependency" advisory sits in a backlog. A finding that reads "attacker reaches 3,800 internal repositories via a valid GitHub token" does not.
The bigger pattern
This breach fits a category that grew considerably in 2025 and 2026: developer toolchain as initial access vector.
The structure is consistent. Attackers compromise a trusted publishing account or upstream package. They push a malicious update to a developer tool with a large, high-trust install base. The tool runs with the same process privileges as the developer. Credentials follow.
VS Code extensions are exposed here because the extension model does not enforce strong process isolation. Extensions run in the same context as the developer's authenticated session. The design property that makes extensions powerful is the same property that makes them a viable credential-harvesting surface.
Three similar incidents appeared within a short window in early 2026: GitHub's internal repositories, OpenAI's development tooling, and Grafana's plugin signing infrastructure. Developer tooling is now a primary target, not an edge case.
The perimeter has moved inward.
If you want to see how exploit-chain analysis maps your developer trust surface, book a POC.