3rd Party Risk Management,
Governance & Risk Management
Company Pushes Key Rotation After 3,800 Repositories Compromised
In a significant cybersecurity incident that has garnered widespread attention, GitHub has issued a pressing warning to administrators of self-hosted git servers regarding the urgent necessity to rotate public encryption keys. This recommendation follows a severe breach that occurred on May 18, involving a compromised Visual Studio Code extension utilized by one of their employees. Such incidents spotlight the vulnerabilities that can arise from third-party software integrations, particularly in environments reliant on open-source solutions.
The Microsoft-affiliated code repository detailed that an investigation initiated earlier in May confirmed the theft of approximately 3,800 internal repositories. This breach was traced back to a security flaw in the Nx Console extension for Visual Studio Code. The compromised extension was live in the Visual Studio Marketplace for a mere 18 minutes before it was taken down. This incident underscores the rapidity with which vulnerabilities can lead to significant breaches in data security.
Alexis Wales, GitHub’s Chief Information Security Officer, elaborated in a recent update that the company is undertaking a comprehensive key rotation initiative. This endeavor includes the rotation of the critical GitHub Enterprise Service signing key, which will necessitate self-hosted administrators to take similar actions. Such proactive measures aim to mitigate any potential fallout resulting from the breach. Despite the alarming scale of the incident, GitHub stated that there is “no evidence” suggesting that customer or enterprise-level repositories were compromised. However, they acknowledged that some internal repositories contained customer-related information, such as excerpts of support interactions.
Wales reassured users by explaining, “If any impact is discovered, we will notify customers via established incident response and notification channels.” This reflects GitHub’s commitment to transparency and communication amidst a troubling security landscape.
The hacking group TeamPCP has claimed responsibility for this supply chain attack, an entity that has been active since mid-2025 and focuses on supply-chain attacks targeting open-source software. In a troubling collaboration with the notorious Lapsus$ extortion gang, they are reportedly attempting to sell the stolen GitHub data for a staggering $95,000. This venture illustrates the growing trend of cybercriminals leveraging stolen data for monetary gain, further complicating the cybersecurity landscape.
As the cyber threat landscape evolves, GitHub’s predicament highlights critical vulnerabilities present in the software supply chain, particularly as practices like continuous integration and continuous deployment become standard in the industry. Security experts emphasize that the trust placed in third-party code is often what enables attacks of this nature. Aikido security pointed out, “Trust, not sophistication, is what makes attacks like those resulting from the Nx Console, Durable Task Python SDK, and the Mini Shai-Hulud campaign across the AntV ecosystem successful.”
Their commentary brings to light the fact that these malicious attacks are not always executed using obscure packages from dubious sources; rather, they frequently exploit widely used tools that developers continue to trust due to their high install counts, reputable badges, and perceived marketplace legitimacy. This trust, now becoming the primary target, calls into question the safety protocols in place for third-party software used within organizations.
GitHub has pledged to release a more comprehensive report on this incident once their investigation and analysis are concluded. This commitment not only highlights the gravity of the situation but also underscores the importance of continuous vigilance and risk management in an environment fraught with potential cybersecurity threats.
With reporting by ISMG’s David Perera in Northern Virginia.