On 18 May 2026, between 12:30 and 12:48 UTC — exactly 18 minutes — a poisoned version of the Nx Console extension for Visual Studio Code was available on the VS Code Marketplace. During that window, any developer who opened a workspace with the extension installed silently executed a command that stole their credentials from 1Password, Anthropic Claude Code, npm, GitHub and AWS. One of those developers worked at GitHub. On 19 May, GitHub detected unauthorised access to its internal systems. On 20–21 May, it confirmed the exfiltration of approximately 3,800 internal repositories. The actor: TeamPCP, also tracked by Google Threat Intelligence Group as UNC6780. The Hacker News chose it as “Threat of the Week” today, 25 May. It is the culmination of a software supply chain attack campaign that Apolo Cybersecurity has been documenting since 5 May.

What do we know about the GitHub breach?

Facts documented by GitHub (official statement), The Hacker News, OX Security, Aikido Security, Help Net Security, Infosecurity Magazine, Sophos, Hackread and researcher Nir Zadok of OX Security:

  • Date and exposure window: Nx Console v18.95.0 was available on VS Code Marketplace on 18 May 2026 between 12:30 and 12:48 UTC — 18 minutes. On Open VSX, the window was 36 minutes before Aikido Security and the community detected and reported it.
  • Nx Console: one of the most popular VS Code extensions in the Angular and monorepo ecosystem, with over 2.2 million installs and verified publisher status on the Marketplace. This was not an obscure extension from an unknown author — it was a reference tool with every visual trust signal developers use to validate safety.
  • The payload: the poisoned version silently executed on workspace startup a single shell command that downloaded and ran a hidden package from a planted commit in the official nrwl/nx GitHub repository. The malware silently stole 1Password credentials, Anthropic Claude Code configurations, npm tokens, GitHub tokens and AWS credentials.
  • The compromised device: a GitHub developer had Nx Console installed. When they opened a workspace on 18 May, their credentials were exfiltrated. GitHub detected the incident the following day.
  • Impact confirmed by GitHub: exfiltration of approximately 3,800 internal repositories. GitHub confirmed that the ~4,000 repos claimed by TeamPCP are “directionally consistent” with their investigation. Customer repositories, enterprise accounts and user data are not affected per the official statement.
  • GitHub’s response: endpoint isolation, malicious extension version removal, rotation of critical credentials prioritising highest-impact ones, ongoing post-incident monitoring. GitHub has promised a detailed technical report once the investigation is complete.
  • CVE assigned: CVE-2026-48027.
  • The price of the data: TeamPCP initially offered the stolen repositories for at least $50,000. A subsequent post appeared showing TeamPCP partnering with the Lapsus$ group to sell the data for $95,000, with a threat to leak publicly if no buyer materialises.

Why VS Code extensions are the most dangerous supply chain vector in 2026

The attack on GitHub via Nx Console is not an isolated incident — it is the most spectacular demonstration of a pattern TeamPCP has been executing since early 2026. The group has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack and now GitHub, all through developer tools that technical teams use without a second thought. Four factors explain why VS Code extensions are the most effective attack vector available today:

  1. The trust signal is the vector. An extension with 2.2 million installs, a verified publisher, an active public repository and thousands of GitHub stars is exactly the type of tool any developer installs without auditing. The signals that supposedly indicate safety — popularity, verification, activity — are now exactly what attackers seek to maximise the impact of a point-in-time compromise.
  2. Developer workstations are the weakest perimeter in the corporate ecosystem. A developer workstation has access to production tokens, AWS keys, CI/CD secrets, private repositories and password manager credentials. It is the highest-multiplier access point in the entire organisation — and the least monitored by SOC teams.
  3. The exposure window does not need to be long. 18 minutes was enough to compromise developer devices that then provided access to 3,800 GitHub repositories. The community’s detection speed — notable in this case — was not enough to prevent the damage.
  4. Code editor approval policies are virtually non-existent. Nx publicly admitted the malicious version was published to the Marketplace “without manual approval” from other Nx administrators. This is the systemic failure: the controls that exist in production pipelines are not applied to the tools developers use to build those pipelines.

How the attack worked: from a stolen npm token to 3,800 GitHub repositories

The full attack chain, reconstructed by OX Security, Aikido Security, Wiz Research, and the official Nx and GitHub communications:

  1. Initial access via the Mini Shai-Hulud campaign (weeks earlier): TeamPCP compromised npm packages in the TanStack ecosystem in a prior campaign documented by Wiz Research and Datadog Security Labs. One of the GitHub tokens stolen in that attack belonged to a legitimate Nx project contributor. With that token, the attacker gained write access to the official nrwl/nx repository.
  2. Payload planting in the official repository: using the stolen token, TeamPCP planted a commit with a hidden malicious package in the official nrwl/nx GitHub repository. The commit appeared legitimate — it came from an account with a real history of contributions to the project.
  3. Extension modification and Marketplace publication: the attacker modified the Nx Console v18.95.0 code so that on workspace startup it silently executed a single shell command that downloaded and ran the package planted in the nrwl/nx repository. The version was published to VS Code Marketplace at 12:30 UTC on 18 May, without manual approval from other Nx administrators.
  4. Execution on a GitHub employee’s device: a GitHub developer with Nx Console installed opened a workspace that day. The payload executed silently, exfiltrating 1Password credentials, Anthropic Claude Code configurations, npm tokens, GitHub tokens and AWS credentials stored on the device.
  5. Internal repository exfiltration: using the GitHub employee’s tokens, TeamPCP cloned approximately 3,800 GitHub internal repositories before access was detected and cut off.
  6. Detection and response: Aikido Security and the community detected the malicious extension and reported it. VS Code Marketplace pulled it within 18 minutes. GitHub detected the unauthorised access on 19 May and initiated immediate incident response.

Key lessons for DevOps, DevSecOps and CISO teams

  • Audit VS Code extensions installed on corporate endpoints. Most organisations have no visibility into what extensions their developers have installed. An inventory of active extensions on corporate endpoints, reviewed periodically against known compromised extension lists, is the first preventive measure.
  • Implement VS Code extension allowlists. Microsoft provides mechanisms via Group Policy and corporate settings to restrict which extensions can be installed on managed devices. An allowlist of security-team-approved extensions is the most effective mitigation available.
  • Treat development tokens as production credentials. npm, GitHub and AWS tokens and API keys stored on developer devices have access to critical assets. Secret management on workstations must follow the same standards as production servers: periodic rotation, usage monitoring and immediate revocation at any sign of compromise.
  • Monitor extension behaviour on endpoints. An EDR configured to alert when VS Code extensions execute shell commands on workspace startup, make unexpected network connections or access password manager configuration files can detect this type of attack in real time.
  • Review write permissions on critical development tool repositories. Access to the Nx repository was possible because a contributor had write permissions and their credentials were stolen. An audit of who has publish permissions on the development tools your organisation uses — extensions, npm packages, CI plugins — is part of supply chain risk management.
  • The GitHub attack closes the TeamPCP arc in 2026. Trivy, Checkmarx, Bitwarden CLI, TanStack, Nx Console and now GitHub: all compromised through developer tools in 2026. The pattern is clear and replicable. Any organisation with CI/CD pipelines, heavy VS Code usage and dependency on open source extensions and packages must assess their exposure to this attack chain now.

Cybersecurity as a strategic priority

TeamPCP’s compromise of GitHub is not the end of this campaign — it is its most visible point so far. The message the incident sends to the software development ecosystem is clear: the supply chain of tools developers use daily is a first-order attack surface, and the security controls organisations apply to their production systems rarely extend to their technical teams’ workstations.

For CISOs and security leaders at Spanish organisations with development teams, the question is direct: do you have visibility into what VS Code extensions your developers have installed, what credentials they store on their devices, and how access to the organisation’s critical repositories and pipelines is managed?

Apolo Cybersecurity: software supply chain protection and development endpoint security

At Apolo Cybersecurity we help organisations with development teams assess and protect their exposure to software supply chain attacks like those of TeamPCP: VS Code extension and development tool auditing on corporate endpoints, extension allowlist policy implementation, token and secret management and rotation on developer workstations, extension behaviour monitoring in EDR, repository and pipeline permission reviews, and security posture assessment against the Mini Shai-Hulud/TeamPCP attack chain.

If your organisation has development teams using VS Code and you have not reviewed what extensions they have installed or how tokens and credentials are managed on their devices, the GitHub incident is the signal to act.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity