GitHub CISO Alexis Wales confirmed Thursday that a poisoned build of the Nx Console Visual Studio Code extension — live on Microsoft's official Visual Studio Marketplace for just 18 minutes on May 18 — gave threat group TeamPCP enough access to exfiltrate approximately 3,800 of GitHub's internal source code repositories. The disclosure, which names the specific extension version for the first time in an official capacity, closes a days-long investigation and establishes the attack as one of the most consequential developer supply-chain breaches on record. Confirmed downstream victims now include OpenAI, Grafana Labs, and Mistral AI — organizations whose developers ran VS Code with Nx Console installed and auto-update enabled.
Any developer who had Nx Console installed and running between 12:30 p.m. and 12:48 p.m. UTC on May 18 should assume their machine was compromised and rotate all credentials immediately.
18-Minute Window, Thousands of Victims
The malicious version — Nx Console v18.95.0, published under the handle nrwl.angular-console — carried a verified publisher badge and 2.2 million installs across all versions. Those signals of legitimacy are precisely what made it a high-value target. Aikido Security and the broader open-source community caught the poisoned build within roughly 18 minutes on the VS Code Marketplace and 36 minutes on Open VSX, the vendor-neutral registry for VS Code-compatible editors. Microsoft registered the takedown at 12:48 p.m. UTC.
Despite that speed, the window proved sufficient. Nx Console maintainers disclosed that official marketplace and registry download numbers for version 18.95.0 were just 28 and 41, respectively — but that those figures do not capture auto-update installations. Jeff Cross, co-founder of Narwhal Technologies, the company behind Nx, said his team believes the actual number of users who received the malicious package may have been over 6,000. One of those users turned out to be a GitHub employee whose machine became the entry point to the company's internal repositories.
Credential Stealer Disguised as Routine Setup
OX Security researcher Nir Zadok, who published a technical dissection of the malicious build, found that the extension itself contained no stealer code. On startup it ran a single shell command that fetched a hidden package — called nx-next — from a planted commit on the official nrwl/nx GitHub repository, disguising the action as a routine Nx Model Context Protocol setup task. The downloaded package, identified by Google Threat Intelligence Group as the SANDCLOCK credential stealer, then executed silently in the background.
SANDCLOCK harvested credentials from a broad range of sources: GitHub personal access tokens, OAuth tokens, and app tokens; npm authentication tokens; Amazon Web Services credentials via instance metadata and environment variables; HashiCorp Vault tokens; Kubernetes service account secrets; 1Password CLI sessions; SSH private keys; Google Cloud Platform and Docker credentials; and Claude Code configuration files. Stolen data was exfiltrated through multiple independent channels — encrypted HTTPS to a remote server, the GitHub API using the victim's own stolen tokens, and DNS tunneling as a backup — so blocking any single channel did not stop exfiltration. On macOS, the payload installed a persistent Python backdoor named cat.py at the file path /Users/%/.local/share/kitty/cat.py, confirmed by Sophos Managed Detection and Response teams who recovered it from an affected endpoint.
Attack Chain: TanStack Compromise Reached Narwhal Technologies
The root of the attack traces to a May 11 supply-chain compromise of 42 TanStack npm packages — open-source developer tools for building modern web applications — in which TeamPCP published 84 malicious versions containing a credential-stealing JavaScript payload. Those packages stole the GitHub credentials of a legitimate Nx Console developer through the GitHub CLI. With those credentials in hand, the attacker posed as a legitimate Nx maintainer, pushed a malicious orphan commit to the official nrwl/nx repository, and published version 18.95.0 to the Visual Studio Marketplace at 12:30 p.m. UTC on May 18.
Jeff Cross, CEO of Narwhal Technologies — the company behind Nx — acknowledged in a public post-incident report that the upload of the malicious version was performed "without manual approval" from other Nx administrators. Cross said the publishing pipeline has since been hardened to require two administrators to approve any release. "A lot of the assumptions the ecosystem has operated under for years no longer hold," he added. "We're also beginning conversations with other high-profile open-source maintainers about how we can work together on some of the deeper structural problems around software supply chain security."
GitHub, OpenAI, Grafana Labs, Mistral AI All Confirmed Victims
GitHub stated that TeamPCP's claims of approximately 3,800 stolen repositories are "directionally consistent" with its investigation, and said the exfiltration was limited to GitHub-internal repositories. The company said it has no current evidence that customer data stored outside those internal repositories was affected, though the investigation remains ongoing.
TeamPCP initially demanded at least $50,000 for the stolen repositories, then reportedly posted an advertisement appearing to partner with the Lapsus$ threat group, offering the complete dataset for $95,000. The group stated it would delete the data once a buyer is found and that it would leak the data for free if no buyer materialized.
Grafana Labs CISO Joe McManus confirmed that his company was also compromised via the same TanStack attack, beginning May 11. A missed GitHub workflow token during initial remediation gave the attackers access to Grafana's repositories and the company's full codebase. Attackers demanded a ransom payment on May 16. Grafana Labs declined to pay, aligning with FBI guidance, and notified federal law enforcement. No customer production systems or Grafana Cloud infrastructure were affected.
Two OpenAI employee devices were also confirmed compromised via the TanStack campaign, and Mistral AI's SDK repositories were advertised for sale on cybercrime forums as part of the same attack wave. Mistral confirmed attackers temporarily accessed certain non-core code repositories on May 12.
TeamPCP: Seven Attack Waves Across Open-Source Ecosystem
Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply-chain attacks targeting open-source security utilities and AI middleware. Trend Micro has documented at least seven confirmed attack waves since March 2026: Trivy in March, then Checkmarx KICS, LiteLLM, Telnyx, Bitwarden CLI, TanStack, and Mistral AI.
What is consistent across all waves is that technical sophistication is not the primary weapon — trust is. A verified publisher badge, a high install count, and distribution through an official marketplace mean that developers install the extension without hesitation and that no one thinks to check. The community is getting faster at detecting these attacks, but the attack model accounts for that: it needs minutes, not days.
VS Code Auto-Update Mechanism Now Confirmed Attack Surface
The GitHub breach establishes a structurally significant threat model. VS Code's auto-update mechanism creates a zero-review-gate push channel into every machine running a given extension globally. When a publisher's credentials are stolen, an attacker can silently backdoor millions of developer environments simultaneously — no phishing campaign, no social engineering, no suspicious download required. The malicious version reached the target in this case not because a developer chose to install an unknown tool, but because a developer had already chosen to trust a legitimate one.
The breach has been assigned vulnerability identifier CVE-2026-48027.
Credentials to Rotate Now
GitHub has removed version 18.95.0 from the Visual Studio Marketplace, isolated the compromised endpoint, and rotated critical internal secrets. The Nx team has released updated versions of the extension — v18.100.0 and later — to remediate the issue.
Security teams at organizations using the Nx build system, TanStack, Mistral AI SDKs, or Grafana Labs tooling should treat their CI/CD credential stores as potentially compromised and act on the following:
- Rotate all secrets stored in npm, GitHub, AWS, and 1Password that may have been accessible on developer machines running VS Code between 12:30 p.m. and 12:48 p.m. UTC on May 18.
- Audit extension inventories and enforce allowlists for approved VS Code extensions across developer workstations.
- Review CI/CD pipeline permissions for evidence of lateral movement.
- Check macOS endpoints for the cat.py indicator of compromise at /Users/%/.local/share/kitty/cat.py (SHA-256: fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142).
GitHub has pledged to publish a full post-incident report once its investigation concludes. That report, when it arrives, will provide the clearest accounting yet of how widely the stolen repositories were accessed and whether any customer data contained in GitHub's internal systems was ultimately exposed. Until then, every developer who ran Nx Console in the 18-minute window of May 18 should assume their credentials are in someone else's hands.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
