GitHub disclosed unauthorized access to internal repositories, with a malicious VS Code extension on a developer's workstation identified as the attack vector. This follows a near-miss with the Nx Console extension (2.2M installs), which was backdoored and pulled within 11 minutes. The post explains why trusted, high-install-count extensions are now prime supply chain targets — attackers only need minutes, not days. Traditional EDR tools miss this attack surface because VS Code extensions and npm/PyPI packages are plain-text interpreted artifacts, not binaries. Aikido Security promotes their Device Protection product, which blocks installs of recently published packages/extensions (48-hour hold by default) and checks against a live malware feed to prevent such attacks at the workstation level.
Table of contents
Official no longer means safe to install immediatelyHow Aikido is solving this problemEDR doesn't see this surfaceSort: