What happened
GitHub has confirmed that a breach of its internal repositories resulted from a compromised employee device infected through a trojanized version of the Nx Console VS Code extension. The extension, nrwl.angular-console, was available on the Visual Studio Marketplace for just 18 minutes on May 18, 2026, between 12:30 and 12:48 PM UTC, before being removed. That window was sufficient for TeamPCP to distribute a credential stealer to developer machines that had the extension installed or auto-updated.
The malicious extension appeared and behaved identically to the legitimate Nx Console but silently executed a shell command on startup that downloaded and ran a hidden package from a planted commit on the official nrwl/nx GitHub repository. The command was disguised as a routine MCP setup task to avoid raising suspicion. The credential stealer targeted 1Password vaults, Anthropic Claude Code configurations, npm tokens, GitHub credentials, and AWS access keys.
GitHub CISO Alexis Wales confirmed the breach allowed TeamPCP to exfiltrate approximately 3,800 internal repositories. GitHub stated it has found no evidence of impact to customer information stored outside its internal repositories, though it acknowledged some internal repositories contain excerpts of customer support interactions. The company has rotated critical secrets, taken containment steps, and is monitoring for follow-on activity.
The Nx Console compromise traces directly to the TanStack supply chain attack. A developer at Narwhal Technologies, the company behind nx.dev, had their system compromised in the TanStack incident, providing TeamPCP with the access needed to poison the extension. Other confirmed TanStack downstream victims include OpenAI, Mistral AI, and Grafana Labs. The auto-update behavior of VS Code and similar editors meant the malicious extension reached developer machines immediately upon publication without any review gate or waiting period on the marketplace’s side.
Who is affected
GitHub’s internal repositories and any data they contain are directly affected. GitHub has not confirmed whether customer support data in internal repositories was exposed but committed to notification through established channels if such impact is confirmed. Developers who had the Nx Console extension installed and running during the 18-minute window face credential exposure across 1Password, Claude Code, npm, GitHub, and AWS environments.
Why CISOs should care
TeamPCP has now constructed a self-sustaining supply chain attack chain that has compromised TanStack, LiteLLM, OpenAI, Mistral AI, Grafana Labs, the Nx Console extension, and GitHub’s internal repositories in a cascading sequence. Each compromise provides credentials that enable the next. The 18-minute window that enabled the GitHub breach illustrates how auto-update distribution in VS Code and similar editors gives any attacker who controls a publisher account a direct push channel into every machine running that extension globally, with no review gate between publication and installation.
The Nx co-founder’s acknowledgment that the assumptions the ecosystem has operated under for years no longer hold reflects a structural reality: developer tooling built around trust in publisher identity and automatic updates was not designed for an adversary actively targeting that trust model.
3 practical actions
- Disable auto-update for VS Code extensions in managed developer environments and implement a review gate before extension updates are applied: The 18-minute exposure window was only sufficient because auto-update distributed the malicious extension immediately to all installed instances. Disabling auto-update and requiring manual or IT-approved extension updates adds a critical review layer between a compromised publisher and developer machines.
- Audit all developer machines that had the Nx Console extension installed during the May 18 exposure window and rotate all credentials: Any machine running nrwl.angular-console that received an update between 12:30 and 12:48 PM UTC on May 18 should be treated as compromised. Rotate 1Password vault credentials, Claude Code configurations, npm tokens, GitHub personal access tokens, and AWS keys present on affected machines immediately.
- Extend threat intelligence monitoring to VS Code Marketplace and similar extension repositories as supply chain risk surfaces: TeamPCP’s campaign has demonstrated that extension marketplaces are now active attack vectors. Implement monitoring for anomalous extension updates from publishers in your approved extension list, and establish a process for rapid response when a trusted extension is reported as compromised.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.