The Wild West of VS Code extensions and how a poisoned extension breached GitHub

A poisoned VS Code extension (Nx Console, 2.2M installs) was live on the Visual Studio Marketplace for 18 minutes and on OpenVSX for 36 minutes on May 18, pushing malicious code to any user with auto-update enabled. The attack vector — a stolen GitHub token used to publish a malicious release — was the same mechanism used in the GitHub breach confirmed the following day, where attackers accessed ~4,000 internal repositories via a compromised VS Code extension on an employee's machine. The malicious Nx Console payload was 2,777 bytes injected into a minified JS file, fetching a 498 KB obfuscated dropper from an orphan commit. Marketplaces have no kill-switch for already-installed versions and send no notifications to affected users. The post recommends disabling auto-update or using a version-age delay policy (like Aikido's 48-hour hold) to reduce exposure to freshly published malicious releases.