GitHub has confirmed that roughly 3,800 of its internal repositories were exfiltrated after an employee installed a trojanized build of the Nx Console VS Code extension. The company described the attacker's 3,800-repo claim as "directionally consistent" with its own investigation. The poisoned build — version 18.95.0 of an extension with verified-publisher status and roughly 2.2 million installs — was published to the Visual Studio Marketplace on May 18 and disclosed by GitHub on May 20.
How a 18-minute window did the damage
The malicious 18.95.0 release kept the legitimate Nx Console surface intact but added one step on startup: it silently ran npx against a fixed commit on the official nrwl/nx repository, installing and executing a hidden package called nx-next. Per OX Security, that payload was a credential stealer that swept GitHub tokens, npm .npmrc credentials, AWS keys (from IMDS and environment variables), HashiCorp Vault tokens, Kubernetes service-account secrets, 1Password CLI sessions, SSH private keys, and AI coding-assistant configuration files including Claude Code. Stolen data left over encrypted HTTPS, the GitHub API using the victim's own tokens, and DNS tunneling as a fallback.
The window was short — about 18 minutes on the VS Code Marketplace and roughly 36 minutes on Open VSX before takedown — but auto-update meant the blast radius was every machine that pulled the build in that interval.
The chain started in npm, not the extension
The Nx Console compromise was the second hop. Investigators tie the root cause to a May 11 supply-chain attack on TanStack npm packages, in which the threat group TeamPCP (tracked as UNC6780) published dozens of malicious versions carrying a credential-stealing payload. That payload reportedly captured the GitHub credentials of a legitimate Nx Console maintainer via the GitHub CLI — credentials then used to ship the trojanized extension under the real publisher's identity.
TeamPCP has claimed responsibility, framing the breach as a demonstration of "inherent vulnerabilities in the modern developer supply chain." The group has previously been linked to compromises of security tooling such as Trivy, KICS, the LiteLLM library, and the Telnyx SDK.
Confirmed downstream victims and what changes
GitHub is not the only casualty. Reporting names OpenAI, Grafana Labs, and Mistral AI among organizations whose developers ran VS Code with Nx Console installed and auto-update enabled. The pattern — a verified publisher, a trusted extension, a multi-hop path from npm to IDE to internal source — is exactly the threat model most secrets-scanning and endpoint controls were not built to catch.
For engineering teams, the practical takeaway is uncomfortable: a verified-publisher badge and high install count are not assurances. Audit for the 18.95.0 build, rotate every credential class the nx-next stealer touched (cloud, CI/CD, package registries, secret managers, and AI agent configs), and treat IDE extension auto-update as an unauthenticated code-execution path until proven otherwise. The blast radius of a single poisoned developer machine now reaches a vendor's entire internal codebase.
