Lead Story | Critical — Developer Supply Chain · Source Code Exfiltration | Dev · Cloud+DevOps · Enterprise |
|
TeamPCP Used the Nx Console Extension to Breach GitHub — 3,800 Internal Repositories Exfiltrated and Now on Sale for $50,000
GitHub confirmed on May 20, 2026 that a poisoned Nx Console — the same extension that targeted 2.2 million developer environments three days prior — reached a GitHub employee’s workstation and gave TeamPCP access to thousands of internal repositories now being offered for sale on a cybercrime forum.
TeamPCP confirmed what the Nx Console attack made possible: a GitHub employee opened a workspace with the poisoned extension installed, and the credential-harvesting payload ran. GitHub confirmed the breach on May 20, 2026 — 3,800 internal repositories were exfiltrated and are now being offered on a cybercrime forum for $50,000. The company states no customer repository data was accessed; its investigation remains open. TeamPCP has added GitHub’s own source code to a portfolio that already includes Aqua Trivy and Checkmarx’s KICS. Bleeping Computer → The Record →
The mechanism is the same one from three days ago: a developer workstation, a Marketplace-trusted extension, no monitoring between the install event and the credential drain. Organizations that have not yet audited which VS Code extensions are installed across engineering fleets should do so before treating credential rotation as the complete remediation — on macOS, the Nx Console payload dropped a Python backdoor designed to persist after credential rotation, and any machine that ran it should be treated as potentially compromised until verified clean. Aikido → StepSecurity →
→ Key Takeaway The GitHub breach confirms that the Nx Console supply chain attack reached beyond individual developer machines — it provided TeamPCP with a foothold inside one of the most security-conscious companies in the industry, whose internal tooling and CI/CD configurations are now in an adversary’s hands. Credential rotation alone is insufficient if the extension ran on any machine with access to internal systems; an endpoint that executed the payload must be treated as potentially compromised until verified clean. Ask your security team whether developer workstations are enrolled in EDR coverage that would detect a VS Code extension making outbound connections to unknown hosts — and whether any engineer in your organization ran Nx Console 18.95.0 this week. HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only. |
Quick Hits
| 01 |
Two Microsoft Defender Flaws Under Active Exploitation — CISA KEV Confirmed; Auto-Update Should Have Patched Most Systems
CISA added CVE-2026-41091 (Microsoft Malware Protection Engine link-following LPE, CVSS 7.8) and CVE-2026-45498 (Defender Antimalware Platform network DoS, CVSS 7.5) to the Known Exploited Vulnerabilities catalog on May 20, 2026, confirming active in-the-wild exploitation. CVE-2026-45498 can be triggered remotely without authentication to disable Defender; CVE-2026-41091 requires local access and elevates privileges locally by exploiting an improper link-resolution path in the Malware Protection Engine. An attacker with any local foothold on a machine where Defender has been remotely silenced faces no endpoint defence standing between them and full system control. Defender’s default auto-update behaviour means most enterprise systems running Engine 1.1.26040.8 and Platform 4.18.26040.7 or later are already protected — ask your team to confirm no managed endpoints have auto-update disabled or are running air-gapped configurations. Help Net Security → CISA KEV →
| High — Endpoint Defence Bypass | IT Ops · Enterprise |
|
CVE Watch
|
CVE Watch
CVE-2026-46333 (ssh-keysign-pwn, Linux Kernel, CVSS 7.1): Ptrace Race Condition Exposes SSH Host Keys and Root Password Hashes — Patches Available Across All Major Distributions
A race condition in the Linux kernel’s ptrace subsystem — disclosed by Qualys on May 20, 2026 and tracked as CVE-2026-46333 — allows any unprivileged local user to read root-owned secrets from exiting setuid processes; demonstrated attack paths target four system binaries: ssh-keysign (exposing SSH host private keys), chage (exposing /etc/shadow password hashes), and both pkexec and accounts-daemon (yielding arbitrary root command execution). The vulnerability spans Linux kernels from v4.10 (November 2016) through the upstream fix committed May 14, 2026, and affects default installations of Debian 13, Ubuntu 24.04 and 26.04, Fedora, Red Hat, SUSE, and AlmaLinux — all of which have released patches. Qualys coordinated the disclosure and withheld its own four exploit variants; independent third-party exploits have since been published and are available publicly. Any system where an attacker has achieved initial access as a low-privilege user should be treated as at risk of full root compromise until patched; confirm with your infrastructure team that kernel package updates have been applied and that production hosts have been rebooted to load the new kernel. Qualys → NIST NVD →
| Vendor: Linux Kernel · CVE: CVE-2026-46333 · CVSS: 7.1 (High) · Affected: Linux kernel v4.10 (Nov 2016) through May 14, 2026 fix — all major distributions · Fix: Patches available; reboot required to load updated kernel · Exploitation: Third-party exploits publicly available; Qualys coordinated disclosure May 20, 2026 |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM-09 — Detect: Continuous Monitoring
Developer Workstations Are Monitored Endpoints Too — DE.CM-09 Does Not Stop at the Server Room
NIST DE.CM-09 requires that computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events — a standard most organizations apply to servers and network infrastructure but rarely extend to developer workstations or the extensions installed on them. The GitHub breach was executed through a single endpoint whose extension activity and outbound connections were invisible to every perimeter and server-side control in place. Concrete action (DE.CM-09): Direct your IT and security teams to confirm that developer workstations are enrolled in EDR coverage with extension installation logging enabled, and that outbound network connections from workstation processes are subject to the same anomaly detection applied to server and cloud workload traffic. NIST CSF 2.0 reference: csf.tools/de-cm-09.
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026: Microsoft’s Corporation KEK CA 2011 expires June 24, 2026; the UEFI CA 2011 follows June 27 and the Windows Production PCA 2011 in October 2026. Organizations should confirm firmware is receiving updates and test any dual-boot Linux configurations before the June 24 deadline. HARDENED has been tracking this since Issue #039; Microsoft’s update guidance is at Microsoft Support →
|
