Contact us
Contact us

News

About

Home Crypto News Malicious Nx Console VS Code extension breached GitHub repos

Malicious Nx Console VS Code extension breached GitHub repos

Author Whitewallet Research
Posted: 21 May 2026, 05:09 CET 2 min read

A trojanized release of the Nx Console extension for Visual Studio Code allowed attackers to harvest credentials and access multiple internal GitHub repositories, GitHub confirmed.

A trojanized release of the Nx Console extension for Visual Studio Code harvested credentials and tokens from developer environments and was used to access multiple internal GitHub repositories, GitHub confirmed. Security teams detected unusual access patterns tied to actions performed by the extension and traced the activity to the compromised release.

GitHub removed the malicious package from the Visual Studio Marketplace and began revoking affected credentials and tokens to block further access. An internal incident response team is investigating which repositories and assets were accessed. The company notified partners and developers who may have been affected and advised them to rotate credentials and review account activity.

Users were instructed to uninstall any versions of Nx Console obtained during the period surrounding the compromise and to audit local development environments for signs of credential theft. Because developer workflows often store access tokens and authentication caches on local machines or in continuous integration environments, extensions with elevated file and process access can be used to move from a workstation into hosted repositories.

Security teams recommended checking token issuances, reviewing recent commits and pushes, revoking unused tokens and enabling multifactor authentication where available. Organizations are reviewing internal controls for granting extension permissions and increasing monitoring of developer workstations for unusual network or file activity.

Marketplace operators use code signing, publisher verification and automated scanning to reduce risk, while attackers have targeted widely used packages and publishers. GitHub is running a forensic review to map the attack timeline, identify the initial compromise vector and determine what data, if any, was permanently exfiltrated. The company has not released a full list of affected repositories or detailed technical indicators of compromise.

According to GitHub: “We removed the malicious package and are rotating credentials while we conduct a forensic review to understand the scope of the incident.” The investigation is ongoing and the company is coordinating with security partners to contain the breach.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE