{"vulnerability": "GHSA-c9j4-9m59-847w", "sightings": [{"uuid": "8d8e35c7-4bb7-45d6-a6ab-8ebaf4af7346", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-c9j4-9m59-847w", "type": "seen", "source": "https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/", "content": "On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.\n\n\n\n\nOur current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker\u2019s current claims of ~3,800 repositories are directionally consistent with our investigation so far.\n\n\n\n\nWe have no evidence of impact to customer information stored outside of GitHub\u2019s internal repositories, such as our customer\u2019s own enterprises, organizations, and repositories. Some of GitHub\u2019s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.\n\n\n\n\nWe moved quickly to reduce risk. We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first.\n\n\n\n\nWe continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.\n\n\n\n\nWe will publish a fuller report once the investigation is complete.\n\nThe post Investigating unauthorized access to GitHub&#8217;s internal repositories appeared first on The GitHub Blog.", "creation_timestamp": "2026-05-20T19:07:38.000000Z"}, {"uuid": "36728957-67f4-4e4a-8cef-765a2360a3e0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-c9j4-9m59-847w", "type": "seen", "source": "https://bsky.app/profile/tech-trending.bsky.social/post/3mmeahvo27p2m", "content": "Compromised Nx Console version 18.95.0 \nhttps://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w", "creation_timestamp": "2026-05-21T10:45:20.133244Z"}, {"uuid": "b4ba38dd-cf20-41b6-8f27-fef06f72d473", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-c9j4-9m59-847w", "type": "seen", "source": "https://infosec.exchange/users/decio/statuses/116613650874522243", "content": "Confirmed\n\"On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.\"\u2b07\ufe0f https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w\ud83d\udc47 https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/", "creation_timestamp": "2026-05-21T17:05:00.998652Z"}]}