GitHub has warned of unauthorized access to its internal repositories. The attack resulted from a compromise of an employee's workstation after they installed a new version of a VS Code extension containing malicious code. Details will be released after the investigation is complete. According to preliminary reports, user information stored outside of GitHub's internal repositories was not compromised. The attack was limited to a leak of information from approximately 3800 internal repositories owned by GitHub.
The exact VS Code add-on installed was not specified. Among recent attacks on VS Code users, yesterday's incident involving the Nx Console add-on, which has 2.2 million installations, was notable. Attackers intercepted the GitHub account login information of one of the Nx Console developers and published a new release, 18.95.0, containing malicious code designed to steal sensitive data, such as passwords and access tokens for GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password. The malicious release was posted to the Visual Studio Marketplace on May 19 at 15:30 PM and removed at 15:48 PM (Moscow time).
It's also worth noting the May 11 compromise of two workstations belonging to OpenAI employees who installed malicious updates to TanStack NPM packages containing a self-propagating worm. The malicious versions were published as a result of an attack on the TanStack project's GitHub Actions release process. As a result of the worm's activity, server The attackers were sent credentials and access keys located on compromised computers belonging to OpenAI employees. It is noted that the compromised systems had limited access to some internal OpenAI repositories, which, among other things, stored certificates for digitally signing products for the platforms. Windows, macOS, iOS and AndroidFollowing the discovery of the issue, OpenAI initiated the process of replacing the certificates used to digitally sign ChatGPT Desktop, Codex App, Codex CLI, and Atlas.
Interestingly, this isn't the first such incident at OpenAI. Employees' systems were also infected with malware in April after installing a malicious release of the Axios NPM package, which attackers managed to publish by intercepting the credentials of the lead maintainer. Following this incident, protection against malicious dependencies was implemented on the developers' computers, but it was not installed on the systems of the employees subsequently compromised via TanStack.
Source: opennet.ru
