This is bad...

GitHub's internal repositories were compromised via a malicious VS Code extension (NX Console) installed by a GitHub employee. The attack exploited the VS Code extension marketplace's lack of security review and auto-update mechanism, allowing a poisoned extension to propagate within an 18-minute window. The root cause traces back to a contributor's GitHub token stolen in an earlier supply chain attack (the 'Shylet' worm wave). The author argues Microsoft has systematically failed to address known vulnerabilities in the VS Code marketplace and npm ecosystem, including inadequate update staging, no takedown/rollback flow, and no automated malicious package detection. Proposed fixes include automated auditing of popular package updates before distribution, a staging delay window before auto-updates propagate, a fast takedown mechanism with user notification, and a compromised-version registry. The author is sharply critical of Microsoft for ignoring years of community warnings while smaller security firms like Socket and Aikido consistently detect these attacks first.