An attacker breached GitHub via a single poisoned extension on a developer's laptop and exfiltrated over 3,800 of its private repositories.

The platform for code development, which serves over 180 million developers around the world, confirmed the security incident on May 20.

“We are closely monitoring our infrastructure for follow-on activity,” it said. 

GitHub said on X that the troubling incident started with the compromise of a single “employee device involving a poisoned VS Code extension."

GitHub said on Wednesday that “critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.”

“We currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories)” it said. 

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.” GitHub. May 20. X.

Mini Shai Hulud worm is having huge success

The incident comes amid an ongoing supply chain attack dubbed "Mini Shai Hulid" that is targeting the open source ecosystem – a range of npm packages, GitHub Actions, and a VSCode extension called rwl.angular-console were all poisoned in upstream attacks on May 19. 

The VSCode extension (v18.95.0 was affected) is a popular integration with code editors like VS Code, Cursor, and JetBrains. It has approximately 2.2 million installations on developer machines. 

It is developed by Nx, which says it serves CapitalOne, Intel, FedEx, Red Bull and a wealth of other blue chips. Nx's project maintainers said the incident happened after one of their developer’s GitHub creds leaked.

The company says over 6,000 people may have installed the compromised version.

 (It did not say how this happened, but even at the dizzy upper echelons of CISA, credential leaks have been known to happen very regularly.)

They said; “The compromised extension fetched an obfuscated payload that harvested credentials from multiple sources on disk and in memory:

  • Vault — ~/.vault-token, /etc/vault/token; Kubernetes and AWS IAM auth
  • npm — .npmrc tokens and OIDC token exchange
  • AWS — IMDS/ECS metadata, Secrets Manager, SSM, Web Identity tokens
  • GitHub — ghp_/gho_/ghs_ tokens, Actions secrets, process memory
  • 1Password — op CLI vault contents, if an op session was active
  • Filesystem — private keys, connection strings, GCP/Docker credentials

Nx added: “Harvested data was exfiltrated via HTTPS, the GitHub API, and DNS. On Linux it also attempted sudoers injection for persistence.”

Nx Console 18.100.0 is the latest version that users need to be on. 

JavaScript dashboards...

Aikido Security said that the first new wave of the so-called Mini Shai Hulud attacks also “targeted @antv packages, a widely used set of JavaScript data visualization, graphing, mapping, and charting libraries.

"If you have built dashboards, charts, or data-heavy UIs in a JavaScript project, there is a good chance something in this list is in your dependency tree,” it added. 

The attackers, tracked as “TeamPCP”, have been hitting downstream victims with backdoors via their access to compromised OSS.

The malware scans for and exfiltrates sensitive artifacts from infected systems, including GitHub tokens, SSH keys, cloud credentials, browser-stored secrets, and other authentication material. 

Wiz said “Security teams should also hunt for persistence mechanisms and unusual outbound GitHub communication, including the presence of the following file: ~/.local/share/kitty/cat.py/ they added on May 19.

“Organizations should strengthen software supply chain defenses by implementing dependency allowlisting, SBOM generation, package verification, and improved monitoring of developer and build environments,” Wiz added – guidance that looks like the bare minimum.

A persistent foothold

Aikido Security said the attackers are targeting greater persistence.

The malicious payload writes to .vscode/tasks.json and .claude/settings.json, planting backdoors in VS Code and Claude Code configurations, the company said in a May 19 blog.

That means removing the malicious package from your lockfile is not enough.

“If these files are not checked and cleaned, the attacker keeps a foothold on the developer's machine even after the dependency is rolled back.”

The payload still contains the npm propagation logic that makes Mini Shai-Hulud a worm,” Aikido said, explaining the pace of the attacks.

“After stealing npm tokens, it validates them against the npm registry, enumerates packages the token owner can publish, downloads package tarballs, injects the malicious payload, adds a preinstall hook, bumps the version, and republishes. The malware is not just stealing secrets from the current victim. It is using the victim's publishing access to compromise the next set of packages. This is how the campaign keeps growing. 

"Each compromised account becomes the entry point for the next wave, and maintainers with broad publishing access give the worm a lot of room to spread."

npm said: "To prevent supply chain attacks following the pattern of Mini Shai Hulud, we invalidated npm granular access tokens with write access that bypass 2FA. Update the stored token and rerun the workflow for your automations."

We keep all of our cybersecurity reporting free for public interest reasons. Subscribing allows us to keep serving our readers and sharing deeper dives too. It's £25 ($33) a month or £250 ($335) a year..

The link has been copied!