GitHub Got Hacked Through a VS Code Extension. Your Business Might Be Next.

A single malicious browser extension compromised thousands of repositories including Microsoft, OpenAI, and Grafana Labs. Here's what it means for every business using developer tools — and what you need to do right now.

NSI Tech

On May 21, 2026, GitHub confirmed what a lot of security teams already feared: its internal repositories were breached. Not through a phishing email or a leaked password — through a malicious VS Code extension called Nx Console.

The attackers, operating under the name TeamPCP, slipped a compromised version of the extension into the supply chain. Anyone who installed it gave attackers a foothold into their development environment. From there, they exfiltrated roughly 3,800 repositories from Microsoft, OpenAI, Mistral AI, and Grafana Labs.

This wasn’t a random smash-and-grab. It was a precision supply chain attack — the same kind that hit Vercel, Adobe, and a string of major companies throughout April and May 2026.

What This Means for Your Business

If your team uses VS Code, Node.js tooling, or any third-party developer extensions, you’re in the blast radius — even if you’re not Microsoft or OpenAI.

Supply chain attacks are particularly dangerous because they exploit trust. You didn’t choose to get hacked. You chose a tool that seemed legitimate. The malicious code came bundled inside it.

For small and mid-sized businesses, the damage can be worse than enterprise. Enterprise shops have dedicated security teams to audit dependencies. Most SMBs don’t — they install what their developers recommend and move on.

That approach just got a lot riskier.

What You Need to Do Now

Audit your extensions. Go through every VS Code extension your team has installed. Remove anything that doesn’t have a verified publisher and a recent security audit. If you don’t know what it does, that’s a red flag.

Lock down CI/CD pipelines. If a malicious extension can pull code from your repos, your build pipeline is only as secure as your weakest plugin.

Implement vendor risk assessments. Third-party tools touching your environment need the same scrutiny you’d give a new hire. Who published it? When was it last updated? Has anyone audited it?

Assume breach. Not every attack announces itself. If you have Node.js tooling or CI/CD workflows, assume there’s a compromised package somewhere in your stack. Run a thorough audit.

The Bottom Line

The GitHub breach isn’t just a story about big tech. It’s a warning shot for every business that relies on developer tools, cloud infrastructure, or third-party software.

Your attack surface isn’t just your firewall anymore. It’s every plugin, extension, and dependency your team trusts.

Need help auditing your environment? Talk to NSI Tech.

Need help with any of this? NSI Tech has you covered.

Talk to us