GitHub confirms 3,800 internal repos stolen after employee installed malicious Nx Console VS Code extension (TeamPCP)
GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.
- Check
- Identify VS Code endpoints with the Nx Console extension. Confirm version is 18.100.0 or newer. Check for cat.py and kitty-monitor IoCs and outbound traffic to attacker C2 published by Nx.
- Affected
- Any developer machine that installed Nx Console 18.95.0 during the 11-minute window on May 18 (12:36-12:47 UTC). GitHub.com itself confirms 3,800 internal repos exfiltrated from one employee device.
- Fix
- Update to Nx Console 18.100.0. Audit access from GitHub-employee or contractor devices; rotate every credential, token, and SSH key reachable from machines that ran the trojanized version.