Week in Review: GitHub Breached via Poisoned VS Code Extension, Critical NGINX Flaw Exploited
TeamPCP breached GitHub's internal codebase by poisoning a VS Code extension, while a critical NGINX vulnerability was actively exploited in the wild.
This week's cybersecurity news was dominated by two major incidents: a sophisticated supply-chain attack on GitHub's own infrastructure and the active exploitation of a critical NGINX vulnerability. TeamPCP, a threat actor, successfully breached GitHub's internal code repositories by poisoning a Visual Studio Code extension, compromising private source code. Separately, a 16-year-old heap buffer overflow in NGINX (CVE-2026-42945) saw proof-of-concept exploit code released and subsequent in-the-wild exploitation, prompting urgent patching advisories.
The GitHub breach unfolded when TeamPCP claimed they had accessed the company's private repositories. Microsoft-owned GitHub launched an investigation and confirmed the compromise, attributing the intrusion to a poisoned VS Code extension. The attack vector highlights the growing risk of supply-chain attacks targeting developer tools, as malicious extensions can bypass traditional security controls and gain access to sensitive internal systems. GitHub has since implemented additional safeguards, but the incident underscores the vulnerability of even the most security-conscious organizations to such tactics.
Meanwhile, the critical NGINX vulnerability, CVE-2026-42945, has been under active exploitation following the release of a public proof-of-concept. The flaw, a heap buffer overflow in the NGINX rewrite module, affects over 5.7 million internet-exposed servers. F5, the maintainer of NGINX, released patches, but administrators are urged to apply them immediately to prevent denial-of-service or remote code execution. The exploit allows unauthenticated attackers to crash worker processes or potentially execute arbitrary code, making it a high-priority threat for organizations relying on NGINX as a web server or reverse proxy.
In other news, researchers developed AccLock, a continuous authentication system that uses earbud sensors to identify users by the unique vibrations of their heartbeat. This innovation could provide a seamless and secure method for user verification, particularly in environments where traditional authentication methods are impractical. The system leverages the tiny vibrations generated by the heartbeat, captured by sensors in wireless earbuds, to create a biometric profile that is difficult to spoof.
The week also saw a flurry of security updates from major vendors. Microsoft's May 2026 Patch Tuesday addressed 137 vulnerabilities, including 31 critical flaws, though none were reported as actively exploited. SAP released 15 security notes, fixing critical code injection vulnerabilities in S/4HANA and Commerce Cloud. Fortinet patched critical remote code execution flaws in FortiSandbox and FortiAuthenticator, while Ivanti, VMware, and n8n also released updates for critical vulnerabilities.
Supply-chain attacks continued to make headlines, with a Packagist campaign infecting eight Composer packages with malware hosted on GitHub Releases. The attack targeted both PHP and JavaScript projects, demonstrating the interconnected nature of modern software dependencies. Additionally, the Megalodon campaign poisoned over 5,500 GitHub repositories in a six-hour automated attack, hiding credential-stealing code in the Tiledesk npm package.
These incidents collectively highlight the persistent and evolving threat landscape. The GitHub breach and NGINX exploitation serve as stark reminders that no organization is immune to sophisticated attacks, and that timely patching and robust supply-chain security measures are critical. As threat actors increasingly target developer tools and open-source ecosystems, the cybersecurity community must remain vigilant and proactive in defending against these emerging threats.