A Poisoned VS Code Extension Just Gave Hackers Access to 3,800 GitHub Repos — In 18 Minutes

The GitHub Nx Console Supply Chain Attack: How It Started

On May 18, 2026, a compromised version of the Nx Console VS Code extension (nrwl.angular-console v18.95.0) appeared on the Visual Studio Code Marketplace. With over 2.2 million installations, Nx Console is one of the most popular developer tools for Angular and Nx monorepo projects. Within seconds of a developer opening any workspace, the trojanized extension silently fetched and executed a 498 KB obfuscated payload — and what happened next represents one of the most sophisticated supply chain attacks in recent history.

The compromised version was live on the VS Code Marketplace for only 18 minutes — between 12:30 p.m. and 12:48 p.m. UTC. But in those 18 minutes, the damage was catastrophic. GitHub, the world’s largest code hosting platform (and a Microsoft subsidiary), disclosed that approximately 3,800 internal repositories were exfiltrated as a direct result of this attack.

This was not a random attack by amateur hackers. This was a carefully orchestrated operation by the threat group TeamPCP, and it exploited a fundamental weakness in how the software development ecosystem handles trust.

Who Is TeamPCP? The Threat Group That Breached GitHub

TeamPCP claimed responsibility for the breach, and this was not their first rodeo. The group has been linked to a series of increasingly sophisticated supply chain attacks targeting developer infrastructure. Their methodology is patient and precise: they do not break down the front door. They compromise trusted tools that developers install voluntarily, turning the software supply chain itself into the attack vector.

According to Help Net Security’s analysis, TeamPCP’s approach represents a new paradigm in software supply chain attacks. Rather than targeting individual companies directly, they focus on the shared dependencies and developer tools that thousands of organizations rely on. One compromised extension with millions of installs gives them access to an enormous blast radius with minimal effort.

The group’s operational security is also noteworthy. They used multiple exfiltration channels simultaneously — HTTPS, the GitHub API, and DNS tunneling — to ensure that even if one channel was detected and blocked, the others would continue operating. This level of redundancy suggests a well-resourced and experienced threat actor.

Inside the Poisoned Nx Console Payload: Triple Exfiltration Channels

The technical details of the attack reveal just how sophisticated this operation was. The payload was hidden inside an orphan commit in the official nrwl/nx GitHub repository — a dangling reference that would not appear in normal repository browsing or history. This meant the malicious code was hosted on GitHub’s own infrastructure, making it harder to detect through URL filtering.

Once executed, the payload harvested credentials and tokens from multiple sources including GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault secrets, Kubernetes configurations, and 1Password data. The stolen data was then exfiltrated simultaneously over three independent channels: direct HTTPS connections, the GitHub API (using the stolen GitHub tokens to write data to attacker-controlled repositories), and DNS tunneling (encoding stolen data in DNS queries).

On macOS systems, the payload went even further. It installed a persistent Python backdoor that used the GitHub Search API as a dead-drop command-and-control mechanism. Commands were signed with a 4096-bit RSA key, meaning the attackers could remotely control compromised machines while making their communications look like normal GitHub API traffic. This is the kind of tradecraft you typically see from nation-state level operations.

GitHub Confirms 3,800 Internal Repositories Were Exfiltrated

On May 19, GitHub publicly disclosed the scope of the breach. Approximately 3,800 internal repositories were accessed and exfiltrated by the attackers. While GitHub has not disclosed the specific contents of these repositories, internal codebases at a company like GitHub could include proprietary algorithms, security infrastructure code, internal tooling, and potentially even access credentials to production systems.

The breach extended beyond GitHub. According to further reporting, Grafana Labs was also breached through the same compromised extension. The attack chain was traced back through the TanStack supply chain compromise, revealing a cascading failure that affected multiple organizations across the developer ecosystem.

Reports also indicate that OpenAI and Mistral AI were among the organizations impacted by the broader supply chain attack, though the extent of those breaches has not been fully disclosed. If confirmed, this means some of the most sensitive AI codebases in the world may have been exposed to an adversarial threat actor.

The TanStack Connection: How One Compromise Led to Another

The Nx Console compromise did not happen in isolation. The extension was breached after one of its developers’ systems was hacked in the wake of the TanStack supply chain attack — another recent compromise targeting popular open-source JavaScript libraries. This creates a disturbing pattern: one supply chain attack begets another, each expanding the blast radius of the original compromise.

This cascading effect is particularly dangerous because it exploits the interconnected nature of the open-source ecosystem. A developer who maintains multiple projects can become a single point of failure. If their credentials are compromised through one project, every other project they maintain becomes vulnerable. The modern software development workflow depends on an enormous web of trust that is only as strong as its weakest link.

VS Code Marketplace Security Is Fundamentally Broken

This attack raises serious questions about the security model of the VS Code Marketplace. The fact that a compromised extension with 2.2 million installations could be published and distributed — even for just 18 minutes — exposes a critical gap in Microsoft’s extension vetting process.

VS Code extensions run with the full permissions of the user who installs them. There is no sandbox, no permission model, and no meaningful code review process for updates to existing extensions. When you install a VS Code extension, you are essentially giving it unrestricted access to your file system, environment variables, credentials, and network. This is a design choice that prioritizes developer convenience over security, and attacks like this demonstrate the real-world consequences of that trade-off.

Microsoft has repeatedly been urged to implement stronger security controls for the VS Code Marketplace, including extension sandboxing, mandatory code signing with hardware keys, and automated behavioral analysis for extension updates. The company has made some progress, but this breach proves that the current safeguards remain woefully inadequate for an extension ecosystem that serves millions of professional developers worldwide.

Developer Tools Are the New Attack Surface in 2026

The GitHub breach via Nx Console is part of a broader trend: developer tools are becoming the primary attack surface for sophisticated threat actors. IDEs, package managers, CI/CD pipelines, and code hosting platforms all represent high-value targets because they sit at the intersection of trust and access. A compromised developer tool does not just affect one system — it can propagate to every piece of software that developer touches.

This trend is accelerating because the return on investment for attackers is enormous. Instead of targeting individual companies one at a time, a single supply chain compromise can give attackers access to hundreds or thousands of organizations simultaneously. The OX Security analysis of the TeamPCP attack describes it as a new standard for software supply chain exploitation.

For the cybersecurity industry, this is a wake-up call. The billions of dollars spent on endpoint detection, network monitoring, and cloud security are less effective when the threat enters through a trusted developer tool that is explicitly allowlisted by security policies. Securing the software supply chain requires a fundamentally different approach — one that treats every dependency, extension, and plugin as potentially hostile until proven otherwise.

What Developers and Organizations Should Do Right Now

If you are a developer who had Nx Console installed during the May 18 window, you should assume your credentials have been compromised. Rotate all tokens and secrets — GitHub, npm, AWS, cloud provider credentials, CI/CD pipeline tokens, and anything else stored in environment variables or credential managers. Check for unexpected SSH keys, unauthorized OAuth applications, and unfamiliar API tokens across all your accounts.

For organizations, this breach should trigger a broader review of your developer tool security posture. Consider implementing extension allowlists for VS Code (only approved extensions can be installed), requiring hardware security keys for critical code signing operations, deploying behavioral monitoring on developer workstations, and segmenting developer network access so that a compromised workstation cannot access production credentials.

The 18-minute window of this attack proves that speed of detection is everything. The organizations that escaped unscathed were the ones that had automated tooling to detect anomalous extension behavior. The ones that were compromised were relying on manual processes and reactive security controls. In the age of supply chain attacks, the window between compromise and detection is measured in minutes — and if your security apparatus cannot operate at that speed, you are already behind.