GitHub has confirmed that a recent breach into its internal repositories was caused by a vulnerability in a Microsoft Visual Studio Code (VS Code) extension called ‘Nx Console.’ The security team at the Microsoft-owed software developer platform warned on May 19 that an attacker gained unauthorized access to 3800 internal repositories via a “poisoned” VS Code extension found on an employee device. It was later confirmed by Jeff Cross, CEO of Nx that Nx Console, a popular VS Code extension, was the extensions that was poisoned extension and resulted in the GitHub breach. Nx Console provides a graphical interface for managing and running Nx workspace tasks, generators and builds. Nx is a development toolkit for managing large codebases, also known as monorepos. Nx Console is a popular extension, with 2.2 million installs on the Visual Studio Marketplace and a verified publisher badge. In a report published on GitHub, Cross explained that a malicious version of Vx Console (version 18.95.0) was uploaded to Visual Studio Marketplace and Open VSX, an open-source extension registry for Visual Studio Code–compatible editors, on May 18. The upload was completed at 12.30 UTC by an individual who posed as a legitimate Nx maintainer. The compromised extension fetched an obfuscated payload that harvested credentials from multiple sources on disk and in memory: The issue has been allocated a vulnerability identifier, CVE-2026-48027. Cross explained that the person managed to gain the GitHub credentials of a legitimate Nx developer through a recent supply-chain compromise of TanStackn pm packages. This was part of a broader supply chain attack affecting developer ecosystems, commonly known as the Mini Shai-Hulud campaign.