In eleven minutes on May 18, 2026, a threat group known as TeamPCP published a malicious version of the Nx Console Visual Studio Code extension, harvested credentials from a GitHub employee's device, and began extracting thousands of internal repositories. By the time the compromised extension was removed from the VS Code Marketplace, the damage was done: 3,800 of GitHub's internal repositories had been copied, credentials stolen from cloud providers, CI/CD pipelines, and AI coding assistants, and the attack had already spread to OpenAI and Mistral AI through the same supply chain vector.
Eleven Minutes That Cost GitHub Thousands of Repositories
Version 18.95.0 of the Nx Console extension was published to the VS Code Marketplace at approximately 12:29 UTC on May 18, 2026. The Nx team detected the anomaly and removed it by 12:47 UTC — an 18-minute window. But a GitHub employee had installed the compromised version, which immediately executed an obfuscated payload harvesting credentials from every accessible source on the device: cloud provider CLIs, CI/CD pipeline secrets, password manager browser extensions, and AI coding assistant configurations.
The stolen GitHub token was then used to access 3,800 internal repositories. TeamPCP — formally tracked by Google's Threat Intelligence Group as UNC6780 — has been advertising the stolen repositories for sale at prices starting at $50,000 per repository cluster. The attack was accompanied by separate campaigns: a Mini Shai-Hulud wave forging valid cryptographic provenance on 639 malicious npm package versions, and a separate compromise of a VS Code extension with 2.2 million installs — all occurring within a 48-hour window.
The Anatomy of the Attack
The attack began with a targeted compromise of a contributor's GitHub token, giving TeamPCP the ability to push an orphan commit containing the malicious payload to the Nx Console repository. The payload was sophisticated and targeted: it specifically swept AI coding assistant configurations, recognising that developer environments increasingly contain tokens for GitHub Copilot, Cursor, and similar tools that carry significant API access. The combination of source code repository access and AI tool credentials represents a new category of developer environment risk.
The same day, Wiz researchers discovered that TeamPCP had simultaneously compromised Microsoft's durabletask Python SDK on PyPI — indicating a level of operational tempo and resource that suggests either a highly capable single group or a coordinated ecosystem of affiliated actors sharing infrastructure and tooling. The targeting of developer tools specifically reflects a strategic awareness that compromising the environments where software is built is more valuable than compromising individual production systems.
The Broader Developer Supply Chain Crisis
The GitHub breach is symptomatic of a structural problem in software development security. The VS Code extension marketplace model — where over 35,000 third-party extensions are available with minimal automated security vetting — creates an enormous attack surface. An attacker who compromises a package maintainer account can push malicious updates to millions of developer environments within minutes. The "trusted supplier" attack vector is well understood in supply chain security literature, but defending against it requires balancing security controls against developer productivity.
Enterprise security teams are now grappling with a category of risk that existing controls were not designed to address. Endpoint detection tools focused on malware behaviour patterns may not flag a legitimate extension process executing legitimate-looking file reads across the filesystem. The VS Code extension permission model — which by default grants extensions broad access to the filesystem and network — needs fundamental rethinking as extensions become a primary attack vector.
Immediate Actions for Development Teams
Security teams should treat this as a forcing function to audit VS Code extension policies. Priority actions include restricting extensions to an approved allowlist, deploying endpoint detection capable of monitoring extension-level process activity, and rotating any credentials accessible on machines that had the Nx Console extension installed between May 17 and May 18, 2026. Specific credentials to rotate include GitHub personal access tokens, AWS and GCP service account keys, secrets in browser-based password managers, and API keys for AI coding tools.
GitHub has recommended that organisations review their extension inventory and access logs for unusual API calls or download activity following the breach. Tools including GitHub Advanced Security and GitGuardian can help surface exposed secrets that may have been harvested but not yet exploited. Organisations should also review their third-party extension approval processes to ensure that security review requirements exist for VS Code extensions used in production development environments.
What GitHub Is Doing in Response
GitHub has confirmed the breach and is working with affected parties to assess repository exposure. The company has not disclosed whether customer code was exposed through the compromised internal repos, but security researchers note that internal tooling repositories often contain infrastructure configuration, deployment scripts, and automation code that could provide significant lateral movement opportunity. The incident is likely to accelerate GitHub's investment in supply chain security, including expansion of its Sigstore-based artifact signing initiative and enhanced automated scanning for Marketplace submissions. Microsoft faces increasing pressure from enterprise and government customers to demonstrate that its developer platform meets a higher security standard than the general marketplace model currently provides.
