This is bad...

GitHub gets hacked, and Theo says this feels bigger than one bad headline

Theo opens with GitHub’s statement about “unauthorized access to GitHub’s internal repositories” and immediately frames it as part of a broader pattern: bad uptime, rough security posture, no CEO, and a lot of fraying trust. He jokes that GitHub’s uptime is so poor someone asked how attackers even found a big enough window to get in — funny, but also not really a joke.

He swats away the easy explanation: this isn’t just the usual npm disaster

Before getting to the breach itself, Theo makes a point of saying this is separate from the nonstop npm supply-chain problems and a recent GitHub remote-code-execution issue. He’s especially annoyed by npm’s response around token invalidation and “trusted publishing,” calling it insulting because attacks like the TanStack compromise happened inside trusted publishing flows after GitHub Actions cache poisoning via pull_request_target.

The twist: the weak link was another Microsoft surface — VS Code extensions

Theo says he half-expected npm to be the culprit, but the more embarrassing answer was the VS Code marketplace, which he describes as overflowing with typo-squatting, fake listings, and malicious extensions. GitHub later confirmed exactly that: an employee device was compromised through a poisoned VS Code extension, secrets were rotated, and the attacker’s claim of about 3,800 repos matched what GitHub was seeing.

The most brutal part is how obvious this looked in hindsight

He highlights a reply from Darren spelling out the absurdity: Microsoft’s GitHub got compromised because a Microsoft developer used Microsoft’s VS Code and installed malware from Microsoft’s marketplace. Theo piles on with old examples of people publicly begging Microsoft to fix extension-marketplace malware, saying this has been visible for years and ignored anyway.

Why small security firms are catching this faster than Microsoft

Theo shouts out Socket and Aikido as examples of companies doing the hard work Microsoft should already be doing, noting Socket recently raised a $60 million Series C at a $1 billion valuation. His read on that raise is basically: they didn’t need the money, they raised it as a flex, and it says a lot that firms like this can detect ecosystem exploits faster than the platform owner.

NX Console becomes the likely culprit — and then confirmed culprit

Aikido’s reporting pointed to the NX Console extension, and Theo walks through the timeline: a malicious version was published at 12:30 UTC, removed around 12:48, and had a verified badge plus 2.2 million installs. Later in the video, Narwhal CEO Jeff Cross confirms GitHub’s compromise was indeed tied to NX Console, and Theo is noticeably sympathetic to Narwhal while arguing Microsoft still owns the bigger systemic failure.

Auto-update turned an 18-minute breach into a wide blast radius

This is Theo’s most vivid technical point: because VS Code auto-updates on startup and even on routine marketplace interactions, a short malicious-release window can still hit a huge number of developers. He compares today’s world to a security inversion — updating used to keep you safe, but when tokens are stolen and publishers are compromised, auto-update becomes a direct push channel for malware.

His real thesis: the ecosystem’s assumptions are broken, and Microsoft has to rebuild the rails

Theo says the answer isn’t more hand-wavy best practices; it’s structural fixes like automatic analysis on updates to popular packages, staging windows before auto-install, instant maintainer alerts, and a real rollback system for malicious releases. He ends on a furious note: open-source maintainers are already stretched thin, and it’s unfair that they’re being forced to compensate for failures in platforms Microsoft owns end to end.