GitHub Tells Self-Hosted Admins to Rotate Keys

3rd Party Risk Management , Governance & Risk Management GitHub Tells Self-Hosted Admins to Rotate Keys Company Pushes Key Rotation After 3,800 Repositories Compromised Greg Sirico • May 26, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock Hacked code repository GitHub warned administrators of self-hosted git servers to rotate public encryption keys following a May 18 incident involving a poisoned VS Code extension used by an employee. See Also: Securing Microsoft 365: A Live Breakdown of Modern Attack Paths The Microsoft-opened code repository traced earlier this month the theft roughly 3,800 internal repositories to a vulnerability in the Nx Console VS Code extension. GitHub Hacked, Internal Repositories Offered for Sale). GitHub CISO Alexis Wales in a Tuesday update said the repository is rotating all keys, including the GitHub Enterprise Service signing key - meaning that self-hosted administrators will need to follow likewise. A compromised version of Nx Console went live in the Visual Studio Marketplace for 18 minutes before being taken down, an Nx developer disclosed May 19. GitHub has said that it found "no evidence" of compromise in customer or enterprise level repositories. Even so, GitHub quickly acknowledged the presence of customer-related information on choice internal repositories such as "excerpts of support interactions." "Some of GitHub’s internal repositories contain information from customers… If any impact is discovered, we will notify customers via established incident response and notification channels." Threat actor TeamPCP took responsibility for the supply chain attack. The threat actor, which emerged in mid-2025, specializes in supply-chain attacks against open-source software. In cooperation with the Lapsus$ extortion gang, it is currently selling the stolen GitHub data for $95,000. GitHub said it plans on releasing a "fuller report" on the incident once investigations and analysis are complete. The hack highlights how third party code has become a mounting software supply chain vulnerability, especially in an era of continuous integration and continuous deployment. "Trust, not sophistication, is what makes attacks like Nx Console, Durable Task Python SDK, and the Mini Shai-Hulud campaign across the AntV ecosystem work," wrote Aikido security, highlighting recent software repository attacks. "These are not sketchy packages and extensions from unknown publishers. They are tools developers use without thinking twice, precisely because it has the install count, the verified publisher badge, and the marketplace legitimacy that signal safety," it said. "That signal is now the target." With reporting by ISMG's David Perera in Northern Virginia.