Back to Intelligence

GitHub Breach via Malicious Nx Console VS Code Extension: Detection & Hardening

SA
Security Arsenal Team
May 21, 2026
6 min read

Introduction

On Wednesday, GitHub confirmed a significant security breach targeting its internal repositories. The root cause was not a misconfigured server or a zero-day in GitHub infrastructure, but a compromised endpoint running a poisoned version of the nrwl.angular-console extension for Microsoft Visual Studio Code (VS Code).

This incident highlights a critical shift in the threat landscape: the developer environment is now the primary attack surface. Supply-chain attacks targeting trusted IDE extensions allow adversaries to bypass traditional network perimeter controls and gain direct access to source code and intellectual property. For defenders, this means the integrity of development tools is just as critical as the servers they deploy to.

Technical Analysis

  • Affected Products: Microsoft Visual Studio Code (all platforms), specifically installations utilizing the nrwl.angular-console (Nx Console) extension.
  • Threat Vector: Supply Chain Compromise / Poisoned Extension. An attacker breached a developer system at the Nx team, allowing them to inject malicious code into the extension package before it was published to the marketplace.
  • Attack Chain:
    1. Initial Access: An Nx developer's system was compromised.
    2. Compromise: The attacker modified the source code of the nrwl.angular-console extension to include a backdoor or credential harvester.
    3. Distribution: The malicious extension was published and distributed via the official VS Code Marketplace.
    4. Execution: GitHub employees (and potentially other victims) installed the update. Upon loading the extension, the malicious code executed within the context of the VS Code process.
    5. Objective: The malware targeted internal GitHub repositories, likely by exfiltrating authentication tokens (OAuth, PATs) or SSH keys found in the developer's local environment.
  • Exploitation Status: Confirmed Active Exploitation. This is not theoretical; it has resulted in the breach of a major technology company's internal assets.

Detection & Response

Detecting malicious IDE extensions requires monitoring for anomalous process behaviors originating from trusted development tools. The following rules focus on detecting VS Code (or its extension host) spawning unauthorized shells or network utilities—common TTPs for extension-based malware.

YAML
---
title: Potential Malicious VS Code Extension Spawning Shell
id: 8a4b1c92-5d6e-4f3a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects Visual Studio Code or its Extension Host spawning a command shell, which is unusual behavior for an extension and may indicate code execution.
references:
  - https://thehackernews.com/2026/05/github-internal-repositories-breached.html
author: Security Arsenal
date: 2026/05/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\Code.exe'
      - '\extension-host.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legit_terminal:
    # Filter VS Code Integrated Terminal usage where parent is the main Code.exe and user is interactive
    # Note: In a strict environment, extension shell usage is rare. Adjust based on usage.
    CommandLine|contains: 'Microsoft VS Code'
  condition: selection and not filter_legit_terminal
falsepositives:
  - Developers using the Integrated Terminal (Standard behavior, may be noisy)
  - Legitimate debugging workflows requiring shell access
level: medium
---
title: VS Code Extension Accessing Git Credentials
id: 9c5d2e83-6e7f-4a1b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects VS Code processes reading sensitive Git credential files or SSH keys, potentially indicating credential theft by a malicious extension.
references:
  - https://thehackernews.com/2026/05/github-internal-repositories-breached.html
author: Security Arsenal
date: 2026/05/06
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|contains:
      - '\Code.exe'
      - '\node.exe' # Extensions often run in node
    TargetFilename|contains:
      - '\.git\config'
      - '\.ssh\id_rsa'
      - '\.ssh\id_ed25519'
      - '_netrc'
  condition: selection
falsepositives:
  - Standard Git operations performed by the developer (requires context)
level: high


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for suspicious processes spawned by VS Code or Extension Host
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("Code.exe", "extension-host.exe", "node.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for the presence of the specific malicious extension ID or suspicious modifications
SELECT 
  FullPath,
  Mtime,
  Size,
  parse_(Data).name AS Name,
  parse_(Data).publisher AS Publisher,
  parse_(Data).version AS Version
FROM glob(globs='/*/.vscode/extensions/*/package.')
WHERE Name =~ "nx-console" OR Publisher =~ "nrwl"
-- Further investigation: Check for unexpected JS files in the extension directory


**Remediation Script (PowerShell)**
PowerShell
# Remediation Script for Nx Console Malicious Extension
# Run with elevated permissions

Write-Host "[+] Starting Audit and Remediation of Nx Console Extension..." -ForegroundColor Cyan

# Define malicious extension identifier (Based on nrwl.angular-console)
$MaliciousPublisher = "nrwl"
$ExtensionName = "nx-console"

# Get all user profiles on the system
$UserProfiles = Get-CimInstance -ClassName Win32_UserProfile | Select-Object -ExpandProperty LocalPath

foreach ($ProfilePath in $UserProfiles) {
    $ExtPath = Join-Path -Path $ProfilePath -ChildPath ".vscode\extensions"
    
    if (Test-Path $ExtPath) {
        Write-Host "[*] Scanning path: $ExtPath" -ForegroundColor Yellow
        
        # Find extensions matching the malicious publisher/name
        $TargetExtensions = Get-ChildItem -Path $ExtPath -Directory | Where-Object { 
            $_.Name -like "$MaliciousPublisher.*" -or $_.Name -like "*$ExtensionName*" 
        }

        if ($TargetExtensions) {
            foreach ($Ext in $TargetExtensions) {
                Write-Host "[!] FOUND SUSPICIOUS EXTENSION: $($Ext.FullName)" -ForegroundColor Red
                
                # Option to force remove the directory
                try {
                    Remove-Item -Path $Ext.FullName -Recurse -Force -ErrorAction Stop
                    Write-Host "[+] Successfully removed: $($Ext.Name)" -ForegroundColor Green
                }
                catch {
                    Write-Host "[-] Failed to remove: $_" -ForegroundColor DarkRed
                }
            }
        } else {
            Write-Host "[+] No malicious extensions found in this profile." -ForegroundColor Green
        }
    }
}

Write-Host "[+] IMPORTANT: If a malicious extension was found, you must immediately rotate GitHub Personal Access Tokens (PATs) and SSH keys used on this host." -ForegroundColor Magenta

Remediation

  1. Identify and Uninstall: Immediately audit all developer workstations for the installation of the nrwl.angular-console extension. Uninstall any version installed between the breach window (refer to vendor advisory for specific timestamp ranges, generally recent versions prior to the patch).
  2. Credential Rotation: Treat the affected developer workstations as compromised. Assume that all Git credentials, SSH keys, and session tokens stored in the environment have been exfiltrated. Force a rotation of GitHub Personal Access Tokens (PATs), deploy keys, and user passwords.
  3. Vendor Advisory: Refer to the official Nx Console Security Advisory and [GitHub Security Advisory] for the specific safe versions of the extension to reinstall once the clean build is verified.
  4. Environment Reimaging: For confirmed infected devices, do not rely solely on malware removal. Reimage the machine to ensure no persistence mechanisms remain.
  5. Code Review: Conduct a diff audit of any code modified or accessed on the infected workstations during the compromise window to ensure no backdoors were injected into proprietary repositories.

Executive Takeaways

  • Extend the Perimeter to the IDE: Security controls must extend beyond the network edge to the developer workstation. IDEs are trusted targets that sit directly on the "crown jewels"—source code.
  • Least Privilege for Extensions: Implement a policy where developers cannot install extensions without explicit security approval, or utilize an internal proxy for the VS Code Marketplace to block malicious packages.
  • Zero Trust for DevOps: Assume that a developer's machine can be compromised. Enforce multi-factor authentication (MFA) for all Git operations and use short-lived credentials rather than persistent static keys.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirgithubsupply-chainvs-code

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action