GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]
This attack highlights the growing sophistication of supply-chain attacks targeting development tools and open-source infrastructure.
It underscores the critical vulnerability of software supply chains, particularly within widely used developer ecosystems like GitHub and npm, affecting foundational digital infrastructure.
Increased scrutiny and investment into securing open-source development tools and continuous integration/continuous deployment (CI/CD) pipelines will become imperative for all organizations.
- · Cybersecurity firms
- · DevSecOps tool providers
- · Open-source projects with weak security
- · Organizations relying solely on traditional perimeter security
- · Developers using common extensions
GitHub repositories were breached through a malicious VS Code extension.
Companies will re-evaluate their reliance on and security practices for open-source components and developer tooling.
Enhanced regulatory pressure or industry standards may emerge for securing the software supply chain, impacting development practices globally.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at BleepingComputer