GitHub as a new malware distribution channel
GitHub malware distribution refers to attackers abusing developer platforms and ecosystems—such as repositories, extensions, and CI/CD workflows—to stealthily spread malicious code and backdoors through tools that developers already trust and install in their daily work. This trend has turned GitHub into an attractive target for supply chain attacks that piggyback on auto-updates, open-source dependencies, and shared workflows. Recent incidents show how a single poisoned VS Code extension or infected workflow can jump from one developer machine to thousands of downstream projects in hours. Threat groups no longer need to break in through perimeter defenses when they can compromise the tools developers rely on. For security teams, this transforms GitHub and similar platforms from neutral infrastructure into active attack surfaces that must be monitored and defended like any other critical system.
The Nx Console incident and the danger of poisoned VS Code extensions
The GitHub breach driven by a poisoned VS Code extension highlights how supply chain attacks can start with one compromised developer. Threat actors tampered with Nx Console, an extension with 2.2 million installs, publishing a malicious version 18.95.0 that was live on the Visual Studio Marketplace for about 18 minutes. According to CISA, this version rode VS Code’s automatic update mechanism, silently reaching systems that already had Nx Console installed and leading to unauthorized access and exfiltration of roughly 3,800 internal GitHub repositories. The malicious build harvested tokens from services including GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and even targeted Claude Code configuration files. TeamPCP then used the stolen CI/CD credentials and tokens to push further infected packages and workflows. This single poisoned VS Code extension became an entry point into multiple developer security threats across the ecosystem.
Fake AI installers and Deno-based RATs hijacking developer machines
Attackers are also abusing fake AI installers to reach developers and power users. Malicious repositories on GitHub and SourceForge pose as installers for tools like ChatGPT and Claude, but instead distribute the DinDoor backdoor and a Deno-based remote access Trojan. Compromised YouTube channels with AI-generated videos drive victims to these repositories, where they are instructed to run terminal commands that fetch MSI or PowerShell scripts. Those scripts install Scoop, WinGet, and the legitimate Deno runtime, then use Deno to pull DinDoor and run the next-stage payload entirely in memory. The RAT can execute commands, run PowerShell, capture screenshots, manage files, and create SOCKS5 proxy tunnels, while its stealer module targets more than 50 crypto wallets and browser extensions. This pattern turns fake AI installers into powerful GitHub malware distribution lures that blend social engineering with advanced infection chains.
Megalodon workflows and the wider supply chain attack surface
Beyond poisoned extensions and fake AI installers, attackers are modifying CI/CD workflows themselves. In the Megalodon campaign, malicious GitHub Action workflows were injected into public repositories to harvest CI/CD secrets, cloud credentials, and tokens. This approach attacks both development and deployment pipelines, letting threat actors move from code to cloud with minimal friction. The same ecosystem has seen TeamPCP’s self-replicating Mini Shai-Hulud worm compromise hundreds of npm packages in a single wave, and later call Fulcio and Rekor at runtime to generate valid Sigstore certificates for attacker-controlled builds. These cases show that provenance alone cannot guarantee trust when the build chain belongs to the attacker. Developers and organizations must treat workflows, bots, and automation accounts—such as build-bot or ci-bot—as potential attack vectors, auditing their commits and pull requests with the same care given to human contributors.
Detection and mitigation: protecting developers from supply chain threats
Defending against these supply chain attacks requires layered controls around GitHub and development environments. Organizations should monitor extensions like Nx Console for unusual updates, enforce extension allowlists in VS Code, and disable automatic updates where central testing is not in place. Workflow files and automation accounts need regular audits, with unauthorized changes quickly reverted. Endpoint and application security tools that scan for anomalous installers or runtime behavior—such as Perplexity’s Bumblebee malware scanner—can help block fake AI installers and RAT payloads before they compromise systems. Developers should avoid running copy-pasted terminal commands from unverified videos or repositories, and verify project URLs and signatures. Centralized secrets management, short-lived tokens, and strict least-privilege policies limit damage when a single extension or workflow is poisoned. Taken together, these practices reduce developer security threats and help contain GitHub malware distribution campaigns before they spread downstream.