Hacker News: vldszn

New comment by vldszn in "Nx Console VS Code extension was the initial access vector in the GitHub breach"

vldszn — Thu, 21 May 2026 01:20:20 +0000

Per security advisory on GitHub:

Root Cause

One of our developers was compromised by a recent supply-chain compromise on Tanstack, which leaked their GitHub credentials through the GitHub CLI (gh). This allowed the attacker to run workflows on our GitHub repository as a contributor.

Nx Console VS Code extension was the initial access vector in the GitHub breach

vldszn — Thu, 21 May 2026 01:20:20 +0000

Article URL: https://twitter.com/jeffbcross/status/2057236396658811020

Comments URL: https://news.ycombinator.com/item?id=48216614

Points: 1

# Comments: 1

New comment by vldszn in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

vldszn — Thu, 21 May 2026 01:11:19 +0000

UPD: it’s confirmed now by the CEO of Nx https://x.com/jeffbcross/status/2057236396658811020?s=46&t=_...

New comment by vldszn in "DOS Zone"

vldszn — Wed, 20 May 2026 23:41:37 +0000

so cool!

New comment by vldszn in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

vldszn — Wed, 20 May 2026 22:36:25 +0000

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 20:34:44 +0000

UPD: disable auto-updates for extensions in VS Code/Cursor!

New comment by vldszn in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

vldszn — Wed, 20 May 2026 20:32:28 +0000

friendly reminder:

- disable auto-updates for extensions in VS Code/Cursor

- use static analysis for GitHub Actions to catch security issues in pre-commit hook and on ci: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security

- for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI to catch malware https://docs.socket.dev/docs/socket-firewall-free#github-act...

New comment by vldszn in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

vldszn — Wed, 20 May 2026 19:35:13 +0000

There are rumours that was NX Console VS code extension

https://github.com/nrwl/nx-console/security/advisories/GHSA-...

https://www.stepsecurity.io/blog/nx-console-vs-code-extensio...

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 12:28:23 +0000

fair point

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 04:21:37 +0000

Disabling vscode/cursor extensions auto-updates also makes sense

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 03:06:55 +0000

Nice

New comment by vldszn in "Gemini Omni"

vldszn — Wed, 20 May 2026 03:04:58 +0000

When I click the link, the website crashes on my iPhone 13 iOS Chrome lol

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 02:25:35 +0000

You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 02:10:42 +0000

Exactly =)

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 02:09:41 +0000

Makes sense tbh :)

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 00:56:25 +0000

GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 00:43:33 +0000

Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%

New comment by vldszn in "GitHub is investigating unauthorized access to their internal repositories"

vldszn — Wed, 20 May 2026 00:34:17 +0000

- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...

New comment by vldszn in "Postmortem: TanStack npm supply-chain compromise"

vldszn — Tue, 12 May 2026 01:47:42 +0000

Recommend adding this globally:

pnpm config set minimum-release-age 10080 # 7 days in minutes

https://pnpm.io/supply-chain-security#delay-dependency-updat...

New comment by vldszn in "Show HN: Tolaria – Open-source macOS app to manage Markdown knowledge bases"

vldszn — Fri, 24 Apr 2026 13:37:38 +0000

looks very good! love this