A poisoned VS Code extension led to a GitHub breach, and Microsoft owns every link in the chain
… The maintainer of Nx received the unexpected publisher-notification email six minutes later, but by then, the editor had already been doing the attacker's distribution for them. And once a malicious version is on a machine, removing it is a lot harder. …