In one line. A poisoned developer tool on a trusted workstation should not be able to turn a valid GitHub credential into repository exfiltration. The control point already exists inside GitHub Enterprise; the missing piece is continuous endpoint truth.

GitHub's statement on 20 May 2026 is short and precise. The company said it had detected and contained a compromise of an employee device involving a poisoned VS Code extension, removed the malicious extension version, isolated the endpoint, and started incident response. Public reporting says the attacker's claim of roughly 3,800 internal repositories is directionally consistent with GitHub's investigation so far, and GitHub says it currently has no evidence of customer data impact outside GitHub-internal repositories.

The important word is endpoint.

This is not only a story about a malicious extension. It is a story about what happens after a trusted developer workstation becomes the attacker's workstation, while still holding valid repository credentials and still looking legitimate to the system serving the code.

That is the exact failure mode my company EDAMAME was built to remove.

The extension is not a weak plug-in. It is code on the workstation.

The VS Code extension model is intentionally powerful. Microsoft documents that the VS Code extension host has the same permissions as VS Code itself. An extension can read and write files, make network requests, run external processes, and modify workspace settings. Microsoft also states, plainly, that Workspace Trust cannot prevent a malicious extension from executing code and ignoring Restricted Mode; users should only install extensions from trusted publishers.

That model is reasonable for developer productivity. It is also why a poisoned extension is not just "an add-on". It is code executing inside the developer's working environment, next to source code, local credentials, SSH keys, token caches, package managers, terminals, .env files, Git remotes and CI configuration.

Recent malicious VSIX and Open VSX campaigns make the pattern concrete. Socket's GlassWorm research describes malicious extensions that decrypt and execute staged code, collect browser and credential stores, target ~/.ssh, ~/.aws, npm tokens and GitHub authentication artifacts, then exfiltrate archives from the developer machine. The GitHub incident has not publicly disclosed the full payload, so I am not claiming this exact extension followed GlassWorm's implementation. The point is narrower and stronger: once a VS Code extension is poisoned, the workstation is a valid place for credential harvest, token exfiltration and repository access to happen.

Traditional controls see this too late.

Marketplace scanning is useful, but this incident exists because one version passed far enough to be installed. SSO is useful, but Git operations, API calls, PATs and SSH keys do not re-run the human login ceremony for every clone. EDR is useful, but it is usually an incident-response system after the machine has already become suspicious. Audit logs are useful, but they mostly tell you what was accessed after the request was accepted.

The missing control is not another prompt before installing the extension. The missing control is: when the workstation behavior changes, GitHub access should change immediately.

GitHub already has the enforcement surface

The irony is that GitHub Enterprise already documents the control point needed to contain this attack class.

GitHub Enterprise IP allow lists restrict access to private and internal repositories. The restriction applies to web UI, APIs and Git, and it covers non-interactive authentication methods including personal access tokens, OAuth tokens and SSH keys. GitHub says the allow list applies to users with any role or access, including enterprise and organization owners, repository administrators and external collaborators.

GitHub's GraphQL API also exposes mutations to create, update and delete IP allow-list entries. In other words, the access boundary can be managed programmatically. This matters because a static allow list is an operational burden; a dynamic allow list is a trust engine output.

For enterprises using Enterprise Managed Users with Microsoft Entra ID and OIDC, GitHub can enforce the identity provider's Conditional Access Policy IP conditions for web UI, personal access token and SSH-key interactions. GitHub is explicit about the limitation: it enforces IP conditions, but cannot enforce device compliance conditions.

That limitation is the gap.

GitHub knows how to deny repository access based on source context. It does not know, by itself, whether the specific workstation behind that source context has just started behaving like a credential stealer. EDAMAME supplies that missing device truth and turns it into the context GitHub can already enforce.

What EDAMAME would have done mechanically

Assume the internal repositories are protected by GitHub Enterprise native enforcement: dynamic IP allow lists, or IdP Conditional Access IP policy for an Enterprise Managed Users deployment. Assume the developer workstation is anchored by EDAMAME Security and visible in EDAMAME Hub.

The poisoned extension begins to execute.

EDAMAME does not need to know the extension name, the campaign name, or the command-and-control endpoint in advance. It watches the host truth: processes, parent-child relationships, files opened, sensitive path categories, network destinations, posture drift and GitHub access context.

The suspicious patterns are not abstract:

A VS Code extension process or child process opens credential material it has no business reading: SSH keys, Git credential stores, cloud credentials, package-manager tokens, .env files or browser/session stores.
The same process opens multiple sensitive categories in a short window. That is the credential_harvest invariant we keep seeing across supply-chain malware: different payloads, same behavior once the code lands on the machine.
The process creates unexpected outbound traffic, posts archives, connects to new infrastructure, or drives GitHub operations inconsistent with normal developer behavior.
The host posture changes from verified to suspect, with an evidence trail: which process, which files, which network session, which repository operation.

At that point, EDAMAME Hub can change the GitHub boundary:

remove or deactivate the workstation's current trusted egress from the GitHub Enterprise allow list;
update the IdP/GitHub Conditional Access path where the enterprise uses Entra ID and OIDC;
revoke or rotate exposed raw credentials when the token value is known;
preserve the evidence trail for incident response through GitHub audit logs, including actor, repository, authentication method, token hash, user agent, source IP where enabled, and git.clone activity where exported or streamed.

The important part is not the specific API call. The important part is the sequence:

host behavior changes -> endpoint trust changes -> GitHub's own access control rejects the next repository request.

The token is no longer sufficient. The SSH key is no longer sufficient. The CLI session is no longer sufficient. GitHub itself refuses to serve private or internal repositories from that endpoint context.

How EDAMAME Hub stops the next clone.
EDAMAME Hub turns workstation behavior into GitHub-native access control. When a device starts behaving like a credential stealer, Hub can remove that endpoint's trusted egress from the GitHub Enterprise IP allow list, or update the IdP / Conditional Access path that GitHub already enforces.
The result is mechanical: the credential may still exist, but the next Git, API, PAT or SSH request is no longer accepted from that endpoint context.
See EDAMAME Hub for GitHub access control

Why this is prevention, not just detection

GitHub's statement says the endpoint was isolated. That is the right incident-response action.

But isolation after repository exfiltration is not the same as access control at the moment the workstation becomes untrustworthy. The same idea, wired into the GitHub access boundary before the incident, changes the outcome.

Without endpoint-driven enforcement:

the poisoned extension executes on a developer workstation;
the workstation holds valid GitHub credentials;
GitHub sees legitimate authentication from an allowed identity;
repository access continues until detection and manual containment catch up.

With EDAMAME driving GitHub-native enforcement:

the poisoned extension executes on a developer workstation;
EDAMAME detects credential harvest, token exfiltration or suspicious GitHub access behavior from host truth;
the endpoint leaves the trusted set automatically;
GitHub rejects the next web, API, Git, PAT or SSH request from that endpoint context;
incident response starts with a bounded repository-access window, not an open one.

That is the distinction. Runtime detection alone is interesting. Runtime detection connected to the access-control plane is containment.

Why audit logs alone cannot solve it

GitHub audit logs are necessary. They show user, organization and repository events, authentication method, token metadata, user agent, optional source IP, and Git events such as git.clone through API, export or streaming paths.

But logs are evidence, not a boundary.

If a poisoned extension can use a valid token to clone internal repositories for twenty minutes before anyone looks at the audit stream, the audit stream will explain the breach very well. It will not stop the clone. The boundary has to move while the endpoint is still active, not after the report is assembled.

That is why the correct model is not "collect more GitHub logs" or "rotate tokens faster". Those are incident-response necessities. The correct model is to make repository access conditional on the current trust state of the machine making the request.

The control has to sit outside the credential

This incident is another example of the same structural problem we have seen across the recent software-supply-chain wave.

The industry keeps hardening credentials: shorter-lived tokens, fine-grained PATs, SSO authorization, Sigstore, OIDC federation, SLSA provenance, secret scanning, package signing. All of that is necessary. None of it answers the moment when a trusted workstation or trusted workflow is already compromised and still has the right to ask for code.

The credential says: "this actor may access the repository."

The endpoint-trust layer adds: "from this machine, in this state, right now."

That second sentence is where the GitHub breach class is contained.

EDAMAME's Zero Trust for GitHub model is deliberately built around GitHub's own controls, not a proxy pretending to be GitHub. EDAMAME continuously verifies identity, device posture and context, then keeps the native enforcement point current. For coding-agent and developer-workstation security, EDAMAME Security and EDAMAME Posture add the runtime side: host evidence, sensitive-file access, process-attributed traffic, posture drift and vulnerability findings such as credential harvest and token exfiltration.

Put together, the model is simple:

GitHub remains the repository authority.
The IdP remains the identity authority.
EDAMAME becomes the endpoint-trust authority.

That is the layer this incident shows is missing.

A precise claim

Public facts do not prove that EDAMAME would have prevented the poisoned extension from being installed. They do not prove exactly when the first repository was accessed, or which credential type was used, or how GitHub's internal access controls were configured on the affected repositories.

So the precise claim is this:

If GitHub's internal repository access had been gated by dynamic GitHub-native enforcement driven by live endpoint trust, EDAMAME could have detected the workstation compromise and automatically cut that endpoint off from GitHub before repository exfiltration continued.

That is not a marketing distinction. It is the difference between trusting the credential and trusting the machine that is using it.

The poisoned extension is the spark. The endpoint is the boundary. GitHub already has the lock. Continuous endpoint truth is the hand that turns it.

Sources

GitHub incident reporting: BleepingComputer, Cointelegraph, Cybernews.
VS Code extension model: Microsoft VS Code extension runtime security, Workspace Trust.
Malicious extension tradecraft: Socket GlassWorm research.
GitHub native controls: IP allow lists, Conditional Access support, audit logs, token audit events, credential revocation.
EDAMAME context: Zero Trust for GitHub, runtime security for coding agents.

TanStack, Mistral AI, UiPath, OpenSearch, Bitwarden CLI: When Trusted Publishing and SLSA Both Verify, and the Publish Is Still Malicious

Minh Anh Day

May 12, 2026

News

Another Supply Chain Attack, Another Stolen Credential — Can You Beat Our Runtime Detection?

Minh Anh Day

Apr 22, 2026

Insights

Axios Compromised: 100 Million Weekly Downloads, a Hidden RAT, and Why the Chain Reaction Won't Stop

Frank Lyonnet

Mar 31, 2026

Insights

From Trivy to LiteLLM: Why Runtime Detection Is the Practical Way to Find the Fallout

Minh Anh Day

Mar 27, 2026