GitHub confirmed this week that roughly 3,800 of its internal repositories were exfiltrated after one of its own engineers installed a malicious version of the Nx Console VS Code extension. The incident, disclosed by GitHub CISO Alexis Wales in a detailed Wednesday evening blog post, is now being tied directly to the wider TanStack npm supply-chain attack that has rippled through the JavaScript ecosystem over the past week.
Key Highlights
- Approximately 3,800 internal GitHub repositories were accessed and exfiltrated by a threat group calling itself TeamPCP.
- The attack vector was a trojanised build of Nx Console 18.95.0, the official VS Code extension for the Nx monorepo toolchain.
- The poisoned extension was live on the Visual Studio Marketplace for only 18 minutes on May 18, 2026, and on OpenVSX for 36 minutes.
- TeamPCP has listed the stolen source code on the Breached cybercrime forum, asking for at least fifty thousand dollars.
- GitHub says customer data stored outside the compromised repositories was not stolen, and public user repositories remain unaffected.
What Happened
According to GitHub, a single employee endpoint was compromised after the engineer installed the malicious Nx Console build. On startup, the extension silently executed a shell command that pulled and ran a hidden payload from a planted commit on the official nrwl/nx GitHub repository, disguised as a routine Model Context Protocol setup task.
That payload was a credential stealer designed to harvest secrets from a wide range of developer tooling: 1Password vaults, Anthropic Claude Code configurations, npm tokens, GitHub credentials, AWS access keys, Kubernetes kubeconfigs, and GCP and Docker credentials. Using those harvested credentials, TeamPCP pivoted into GitHub's internal source-control footprint and cloned the affected repositories.
The TanStack Connection
The Nx team revealed that their extension was poisoned in the wake of the recent TanStack supply-chain compromise, in which one of their own developers' systems was hacked. The same attack chain has been linked to credential theft attempts against OpenAI, Mistral AI, and Grafana Labs, suggesting TeamPCP has been systematically targeting high-value developer organisations through the npm and VS Code Marketplace pipelines.
Security firm StepSecurity, which has been tracking the campaign, characterised the Nx Console compromise as a textbook second-order supply-chain attack: developers trust their IDE extensions far more than their dependencies, and few organisations audit extension updates with the same rigour they apply to package manifests.
GitHub's Response
GitHub CISO Alexis Wales said in the company's incident write-up that the response moved in three phases:
- Contain: the compromised employee device was isolated and the malicious extension version was removed from circulation.
- Rotate: "We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first," Wales wrote.
- Validate: logs were analysed across GitHub's production infrastructure to confirm secret rotation and to monitor for follow-on activity.
The company stressed there is no evidence that customer data stored outside the affected internal repositories has been stolen, and that no public GitHub.com user repositories were touched.
Impact
For the broader developer ecosystem, this breach reframes a long-standing concern: IDE extensions are now a first-class attack surface, on par with package managers themselves. A typical Visual Studio Code install carries dozens of extensions, each with the ability to read local source code, exfiltrate environment variables, and execute arbitrary shell commands on startup — usually without any sandboxing.
The fact that the poisoned Nx Console build was live for less than twenty minutes before being pulled, yet still propagated far enough to breach GitHub itself, illustrates how quickly modern supply-chain attacks move. Detection vendors such as Aikido and Snyk were criticised by some researchers for not having signatures for the malicious build hours after disclosure.
Background
TeamPCP is not a new actor. The group has been linked to previous supply-chain campaigns across PyPI, npm, GitHub Actions, and Docker Hub, typically pivoting from a single compromised maintainer account into downstream consumers. The TanStack ecosystem — a popular collection of headless UI and data-fetching libraries used by tens of thousands of React and Vue projects — became the latest stepping stone in that pattern earlier this month.
For Nx users specifically, the malicious version range has been published, and the Nx team has pushed clean releases. The remediation advice for any developer who ran Nx Console between roughly 12:30 and 12:48 UTC on May 18 is the standard supply-chain incident drill: rotate all developer credentials, audit recent git activity, and review any cloud account access logs from the affected window.
What's Next
GitHub has promised a fuller post-mortem in the coming weeks, including which categories of internal code were in the affected repositories. Microsoft, GitHub's parent, is reportedly accelerating work on a vetted-extensions tier for the Visual Studio Marketplace, although no formal announcement has been made.
For development teams in the MENA region and beyond, the practical takeaway is immediate: treat IDE extensions as production dependencies. Pin versions, audit before updating, scope credentials narrowly, and assume that any unsandboxed plugin can read your secrets the moment you open your editor.
Source: BleepingComputer — GitHub links repo breach to TanStack npm supply-chain attack