⚠️ THREAT ALERT: GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
The compromise chain originates from the Nx Console extension for Visual Studio Code, which was signed and distributed through the official VS Code Marketplace. The malicious variant was crafted to exploit the extension’s “post‑install” script, which runs with the same privileges as the host VS Code process. By injecting a Node.js payload that leverages the “child_process.exec” API, the attacker achieved arbitrary command execution on any developer machine that installed the tainted extension. The payload then harvested the locally cached GitHub authentication tokens (stored in `~/.config/gh/hosts.yml` and the `GITHUB_TOKEN` environment variable) and used them to clone internal GitHub Enterprise repositories via the REST API, bypassing network segmentation because the tokens were scoped for the corporate SSO domain. This technique mirrors the “supply‑chain” attack model seen in the recent npm and VS Code marketplace incidents, and it is amplified by the fact that Nx Console’s package.json declares a dependency on a compromised third‑party library (e.g., `node-fetch` prior to 2.6.7) that contains a known remote‑code‑execution flaw (CVE‑2022‑25868), allowing the malicious script to evade static analysis checks performed by the Marketplace’s automated vetting pipeline.
In parallel, the extension also leveraged an unpatched vulnerability in the GitHub CLI binary bundled with the extension’s development dependencies (CVE‑2023‑37920, affecting versions <2.28.0). This CVE permits privilege escalation from a standard user context to the account’s internal GitHub Enterprise token by abusing the CLI’s token cache poisoning mechanism. By writing a crafted token file to the default cache location (`~/.config/gh/gh_auth_token`), the malicious code caused subsequent CLI invocations to authenticate as a high‑privilege service account that had read access to all internal repositories. The combined use of the Nx Console post‑install hook, the vulnerable `node-fetch`, and the GH‑CLI token poisoning allowed the attacker to both exfiltrate source code and embed backdoors in the pulled repositories, creating a persistent foothold within the organization’s software supply chain.
Mitigation requires a multi‑layered response: (1) Immediately revoke all active GitHub Personal Access Tokens and OAuth tokens that were cached on developer workstations, regenerate them with fine‑grained scopes, and enforce token expiration policies; (2) enforce strict extension signing verification by configuring VS Code’s `extensions.autoCheckUpdates` and `extensions.ignoreRecommendations` policies, and whitelist only vetted extensions via an internal marketplace proxy that validates package integrity against a hash allowlist; (3) apply the upstream patches for `node-fetch` (≥2.6.7) and GitHub CLI (≥2.28.0) across all development environments, and institute a mandatory SBOM scan for all VS Code extensions before deployment. Additionally, enable Microsoft Defender for Endpoint’s “Attack Surface Reduction” rules to block unsigned script execution in VS Code, deploy endpoint detection and response (EDR) signatures targeting the known malicious payload hash, and conduct a forensic sweep of internal GitHub Enterprise logs for anomalous clone and push operations originating from the compromised tokens.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments