The GitHub service warned about detecting unauthorized access to its internal repositories. The reason was the compromise of the workstation of one of the employees, who installed a new version of one of the extensions to the VS Code editor, into which malicious code was integrated. Details are promised to be published after the trial is completed. According to preliminary data, user information stored outside of GitHub’s internal repositories was not affected.
It is not specified which VS Code add-on was installed. Among the recent attacks on VS Code users, we can note yesterday’s incident with the Nx Console add-on, with 2.2 million installations. Attackers managed to intercept information for connecting to the GitHub account of one of the Nx Console developers and published a new release 18.95.0 containing malicious code to steal confidential data such as passwords and access tokens GitHub, npm, AWS, HashiCorp Vault, Kubernetes and 1Password. The malicious release was posted to the Visual Studio Marketplace on May 19 at 15:30 and deleted at 15:48 (MSK).
Additionally, it is worth mentioning compromise On May 11, two workstations of OpenAI employees, installed malicious updates to TanStack NPM packages containing a self-propagating worm. The malicious releases were published as a result of an attack on the release generation process based on GitHub Actions in the TanStack project. As a result of the worm’s activity, credentials and access keys located on compromised computers of OpenAI employees were sent to the attackers’ server. It is noted that the compromised systems had limited access to some internal OpenAI repositories, which, among other things, stored certificates for generating digital signatures for products for the Windows, macOS, iOS and Android platforms. After identifying the problem, OpenAI initiated the process of replacing the certificates used to digitally sign ChatGPT Desktop, Codex App, Codex CLI and Atlas.
Interestingly, this is not the first such incident at OpenAI – the systems of employees of this company were affected by malware in April after installing a malicious release The Axios NPM package, which the attackers managed to publish as a result of intercepting the credentials of the main maintainer. After this incident, protection against the installation of malicious dependencies was implemented on the developers’ computers, but it was not installed on the systems of employees compromised via TanStack.