TeamPCP Breaches GitHub via Poisoned VS Code Extension
TeamPCP stole 3,800 GitHub internal repos via a malicious Nx Console update live for just 11 minutes, tracing back to the TanStack supply chain compromise.
7 min read
On May 19, 2026, GitHub confirmed that roughly 3,800 of its internal repositories had been exfiltrated by a threat group known as TeamPCP. The attack vector was a poisoned version of Nx Console - a VS Code extension with 2.2 million installs - that sat on the Visual Studio Marketplace for exactly 11 minutes. That was enough.
TL;DR
- TeamPCP published malicious Nx Console v18.95.0 to VS Marketplace on May 18, 2026; it was live for 11 minutes on VS Marketplace and 36 minutes on Open VSX
- The compromised extension stole GitHub tokens, SSH keys, and cloud credentials from installed developer machines
- At least one GitHub employee's machine was hit, leading to 3,800 internal repos being cloned and exfiltrated
- The root cause traces back 7 days earlier to the TanStack npm supply chain compromise on May 11
- TeamPCP is demanding $95,000 and threatening to publish the stolen repos publicly without payment
Attack in Three Hops
What looks like a sudden breach is actually a 7-day slow burn. TeamPCP - tracked by Mandiant as UNC6780 - didn't break into GitHub directly. They worked through the open-source developer tooling layer, chaining three separate compromises to reach a high-value target from an unexpected angle.
Hop 1 - TanStack npm Compromise (May 11)
The attack started eleven days before anyone noticed anything wrong. On May 11, a malicious version of @tanstack/[email protected] was published to the npm registry as part of TeamPCP's broader campaign against the TanStack ecosystem. An Nx core contributor ran a routine pnpm install during normal development work and pulled the compromised package.
The malicious package silently exfiltrated the contributor's GitHub CLI OAuth token - no prompts, no errors, just a quiet credential exfil in the background. The attacker then had persistent access to the Nx Console GitHub repository for seven days before using it.
Hop 2 - Nx Console Backdoored (May 18)
With the stolen OAuth token, TeamPCP spent a week embedded in the Nx repository. At 12:30 UTC on May 18, they published Nx Console v18.95.0 containing a credential stealer to both the Visual Studio Marketplace and the Open VSX registry. The malicious version was removed from VS Marketplace at 13:09 UTC - an 11-minute window. Open VSX took 36 minutes to pull it.
The malicious payload used a sophisticated multi-stage delivery chain: the extension fetched an obfuscated dropper from a "dangling orphan commit" planted in the Nx repo, which the attacker had positioned days earlier. A Sigstore attestation forgery was also used to make the extension appear legitimately signed.
The malicious Nx Console v18.95.0 appeared as a legitimate update from the official Nx publisher.
Source: stepsecurity.io
VS Marketplace reports 28 installs of v18.95.0. Open VSX reports 41 downloads from 21 unique IPs. But Nx and the Nx team note that anyone with auto-update enabled during those exposure windows should assume their machine is fully compromised regardless of install count.
Hop 3 - GitHub Employee's Machine (May 19)
At least one GitHub employee had Nx Console installed with automatic updates enabled. The malicious extension activated on their developer machine and ran its full eight-stage credential harvesting chain - fetching the payload, passing an anti-analysis gate, self-daemonizing, harvesting credentials, exfiltrating through multiple channels, forging Sigstore attestations, and installing a Python C2 backdoor for persistent access.
Within hours, TeamPCP had GitHub tokens, SSH keys, cloud access keys, and browser-stored secrets from the employee's machine. They used those credentials to clone about 3,800 GitHub internal repositories containing GitHub Actions workflows, Copilot internal projects, CodeQL tools, internal infrastructure code, and Rails controllers responsible for pull request and organization management.
StepSecurity confirmed the connection between the Nx Console compromise and the GitHub internal repo breach on May 22.
Source: stepsecurity.io
The Malware Mechanics
StepSecurity's detailed forensic analysis broke the payload into eight stages. The attack was designed to be invisible during normal operation and resistant to static analysis.
| Attack Stage | Technique | Purpose |
|---|---|---|
| Extension activation | Payload fetch from orphan git commit | Stage 2 loader delivery |
| Anti-analysis gate | Environment check (VM, sandbox detection) | Avoid sandboxed analysis |
| Self-daemonization | Background process detach | Survive IDE restarts |
| Credential harvesting | File scraping, env var enumeration | Steal all developer secrets |
| Multi-channel exfiltration | GitHub repos, DNS, HTTP | Redundant delivery channels |
| Sigstore forgery | Forged attestation metadata | Appear as legitimate signed release |
| Persistence | Python backdoor installation | Long-term C2 access |
| C2 polling | Public GitHub repo polling | Receive follow-up commands |
The persistence mechanism follows the same pattern seen in TeamPCP's Mini Shai-Hulud campaign across prior targets like LiteLLM and Cline's npm packages:
# Observed persistence mechanism - Python backdoor
# Location: ~/.local/share/kitty/cat.py
import time, subprocess
# Polls attacker-controlled public GitHub repos for commands
# Commands are identified by the embedded string: firedalazer
# Allows remote execution post-credential-theft without maintaining
# an active connection to attacker infrastructure
The C2 design is deliberate: by using public GitHub repositories as command delivery infrastructure, outbound traffic from compromised machines looks identical to normal developer activity.
The malware's obfuscation used four distinct layers: a custom Base64 string table, PBKDF2-encrypted secondary decryption, hex identifier mangling, and encrypted binary blobs for the final payload stage. Standard antivirus scanning missed all eight stages.
The Broader Mini Shai-Hulud Campaign
This breach is not a standalone incident. TeamPCP's Mini Shai-Hulud campaign, which began in late April 2026, has now touched multiple major developer ecosystems.
The three-hop chain from TanStack npm compromise to Nx contributor token theft to GitHub employee machine and internal repo exfiltration.
Source: stepsecurity.io
In this wave alone, over 170 npm packages and 2 PyPI packages were compromised with 404 malicious versions published. Previous named targets in 2026 include Checkmarx, Bitwarden CLI, TanStack, and LiteLLM. The @antv namespace saw over 300 packages infected. The durabletask Python SDK was compromised via PyPI. GitHub Actions workflow actions-cool/issues-helper was also hit, giving TeamPCP a foothold in CI/CD pipelines.
TeamPCP has listed the stolen GitHub repository data on cybercrime forums for $95,000, threatening to publish repository names and files publicly if no buyer appears. GitHub CEO Thomas Dohmke confirmed that the compromised repositories contain only GitHub's internal corporate code and that no customer data, enterprise accounts, or user repositories were accessed.
GitHub's Response
GitHub acted right away after detection on May 19:
- Removed the malicious extension version from the VS Marketplace
- Isolated the affected employee endpoint
- Rotated all critical secrets, prioritizing highest-impact credentials first
- Began continuous monitoring of infrastructure for follow-on activity
The Nx team released v18.100.0 as a safe clean replacement and has since patched the publisher authentication gap that allowed the OAuth token compromise to result in a direct marketplace publish. Anyone who had Nx Console installed with auto-update enabled during the exposure window (2026-05-18, 12:30 to 13:09 UTC on VS Marketplace; around the same period on Open VSX) should rotate every credential accessible from that machine and check for the backdoor file at ~/.local/share/kitty/cat.py.
Where It Falls Short
Seven days. That's how long the attacker had persistent access to the Nx Console repository between stealing the contributor's OAuth token on May 11 and publishing the malicious extension on May 18. No automated system flagged it. No reviewer caught the orphan commit. The 11-minute marketplace window gets the headlines, but the real detection failure happened in the week before.
VS Code extensions have full read-write access to the developer's entire machine by design. There is no permission scope, no sandboxing, and no mandatory secondary approval for publishing updates to the marketplace. A single stolen OAuth token was sufficient to push a malicious update to a 2.2-million-install extension.
GitHub's internal engineering team uses the same open-source tools as everyone else. That's not a flaw - it is how software gets built. But it means a supply chain attack targeting the developer layer will eventually spread into hyperscaler infrastructure. The same malware that hit a startup's CI/CD pipeline last week can reach GitHub's internal Copilot source code this week.
The structural problem is the npm publish pipeline. Mini Shai-Hulud automates the publishing step once credentials are in hand. The bottleneck isn't the attacker's capability; it's the registry's ability to detect abnormal publish behavior from compromised but legitimate accounts. Npm's publish infrastructure still has no mandatory secondary authorization requirement for high-download packages. Until that changes, one stolen developer token remains a single point of failure for thousands of downstream users.
Sources:
- GitHub investigates TeamPCP breach - Bleeping Computer
- Nx Console VS Code Extension Compromised - StepSecurity
- Nx Console v18.95.0 Postmortem - Nx Blog
- GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension - Hackread
- TeamPCP breached GitHub via poisoned VS Code extension - Help Net Security
- Mini Shai-Hulud TeamPCP hits @antv - Wiz Blog
- GitHub confirms TeamPCP hack - The Record
- npm Supply Chain Attack - Unit 42
