GitHub Breached Through Poisoned VS Code Extension: 3,800 Internal Repos Stolen (May 2026)

critical

CVE

CVE-2026-48027

CWE

CWE-506, CWE-200

Affected Surface

GitHub internal repositories (~3,800 repos), nrwl.angular-console 18.95.0 (Nx Console for VS Code), VS Code, Cursor, and VS Code-compatible editors with auto-update enabled, Developer workstations with GitHub, npm, AWS, Vault, Kubernetes, Docker, GCP, SSH, Claude Code, or 1Password credentials, Downstream npm ecosystem through Sigstore attestation forgery capability

On 19 May 2026, GitHub disclosed that it was investigating unauthorized access to its internal repositories. By 20 May, the company confirmed that approximately 3,800 private repositories had been exfiltrated. The entry point was a single developer workstation compromised by a poisoned VS Code extension.

The threat group TeamPCP, tracked as UNC6780 by Google Threat Intelligence Group, claimed responsibility on an underground forum and advertised the stolen data for sale starting at $50,000. GitHub’s statement confirmed the attacker’s claims were “directionally consistent” with their investigation.

This incident is not an isolated breach. It is the downstream result of a cascading supply chain attack that moved from the TanStack npm ecosystem to the Nx Console VS Code extension to a GitHub employee’s machine, and ultimately into GitHub’s internal infrastructure. For a detailed technical analysis of the Nx Console payload itself, see Corgea’s Nx Console credential stealer writeup.

Attack chain: from TanStack to GitHub’s internal repositories

The breach traces through four distinct links:

Link 1: TanStack supply chain compromise. In early May 2026, TeamPCP compromised the TanStack npm ecosystem through a misconfigured CI workflow, cache poisoning, and OIDC token theft. Malicious versions of @tanstack/react-router and related packages were published with valid cryptographic provenance. This attack is tracked as CVE-2026-45321.

Link 2: Nx contributor credential theft. A contributor to the Nx project installed one of the compromised TanStack packages, or was otherwise caught in the blast radius of the campaign. The TanStack payload harvested their GitHub credentials through the GitHub CLI (gh). The stolen token had push access to nrwl/nx and, directly or indirectly, access to VS Code Marketplace publishing credentials.

Link 3: Nx Console extension compromise. On 18 May at 03:18 UTC, the attacker used the stolen token to push an orphan commit (558b09d7) into the nrwl/nx repository. At 12:30 UTC the same day, they published nrwl.angular-console v18.95.0 to the Visual Studio Marketplace. The malicious extension created a hidden VS Code task on workspace activation that fetched and executed a 498 KB obfuscated credential-stealing payload from that orphan commit. The extension was live on the Visual Studio Marketplace for approximately 18 minutes and on Open VSX for 36 minutes.

Link 4: GitHub employee device compromise. A GitHub employee with Nx Console installed had their editor auto-update to the malicious version during the exposure window. The payload harvested tokens, secrets, and SSH keys from the employee’s machine. With those credentials, the attacker accessed GitHub’s internal repositories and exfiltrated approximately 3,800 of them.

The entire chain, from a legitimate open-source CI pipeline through two separate package ecosystems into a developer’s IDE and out through a corporate employee’s machine, executed in under 48 hours.

What was stolen from GitHub

GitHub confirmed the breach affected internal repositories only. Based on public reporting, the exfiltrated data included:

Infrastructure configuration files
Deployment scripts and automation
Staging environment credentials
Internal API schemas and documentation
Internal organization source code

GitHub stated that customer data stored outside internal repositories was not affected. The company immediately rotated critical secrets, prioritizing highest-impact credentials first, and isolated the compromised endpoint. A full incident report was promised but had not been published at the time of writing.

TeamPCP advertised the stolen material on a breach forum, claiming roughly 4,000 repositories of private code and requesting a minimum of $50,000 from buyers.

Why 18 minutes was enough

VS Code ships with auto-update enabled by default for extensions. There is no review gate, cooldown period, or waiting period between when an update is published and when installed clients pull it in. The update mechanism is not limited to a periodic timer. VS Code also syncs against the marketplace during any gallery interaction, including opening the Extensions sidebar, performing marketplace searches, and processing recommendation prompts.

The Nx Console extension has over 2.2 million total installations. During the 18-minute window on the Visual Studio Marketplace (and the 36-minute window on Open VSX), any running editor that performed a gallery interaction touching the Nx Console listing would have silently auto-updated to the compromised version.

Official marketplace download counts for v18.95.0 were low: 28 on the Visual Studio Marketplace and 41 on Open VSX. But Nx’s own internal analytics registered approximately 6,000 extension activations from VS Code after the attack, two orders of magnitude higher than the marketplace figures. The discrepancy exists because auto-updates are not always counted as fresh downloads by the marketplace, but the extension still activates with the malicious code.

Once pulled, the marketplace has no way to recall an extension from machines that already installed it. Pulling the listing only prevents new downloads. Microsoft does not notify affected users. The only way a developer would learn they were affected is by following security news or noticing the extension had vanished from search results.

The credential harvesting payload

The technical details of the Nx Console payload are covered in depth in Corgea’s companion analysis. The key points relevant to the GitHub breach:

The payload ran six parallel credential collector classes targeting GitHub tokens, npm credentials, AWS IMDS and Secrets Manager, HashiCorp Vault, Kubernetes, 1Password, Docker, GCP, SSH keys, .env files, and Claude Code AI assistant configurations. On Linux, it also scanned /proc/*/mem for secrets in running process memory.

Exfiltration used three independent channels (HTTPS, GitHub API, and DNS tunneling), any one of which was sufficient for the attacker. All data was encrypted with AES-256-GCM and the session key wrapped with the attacker’s RSA public key.

The payload also contained full Sigstore integration for forging npm package provenance attestations, meaning stolen credentials could be used to publish downstream packages with valid, cryptographically signed provenance that npm audit signatures would pass.

On macOS, the payload installed a persistent Python C2 backdoor at ~/.local/share/kitty/cat.py with a LaunchAgent for hourly execution. The backdoor used the GitHub Search API as a dead-drop, polling for commits matching the keyword firedalazer and verifying RSA-PSS signatures before executing attacker-controlled Python.

TeamPCP and the broader supply chain campaign

This incident is part of a sustained campaign by TeamPCP that has been running since at least March 2026. The group’s attack resume includes:

TanStack/Mistral AI/UiPath (May 2026): 373 malicious package versions across 169 npm and PyPI packages, tracked as CVE-2026-45321
durabletask PyPI (May 2026): Three backdoored releases of Microsoft’s Python SDK with a multi-cloud credential stealer and wiper component
AntV ecosystem (May 2026): Hundreds of malicious npm releases across @antv, echarts-for-react, timeago.js, and related packages
Cemu Linux release assets (May 2026): GitHub release binaries replaced with a Python zipapp credential stealer
Trivy vulnerability scanner (March 2026): Aqua Security’s GitHub Actions compromised, cascading to Docker images and the Checkmarx KICS project
LiteLLM PyPI (March 2026): Popular Python library compromised, infecting tens of thousands of devices
Mistral AI source code (May 2026): Stolen using compromised CI/CD credentials, advertised for sale
AsyncAPI VS Code extension (November 2025): The Shai-Hulud 2.0 worm’s first blood event, where compromised npm and OpenVSX tokens pushed malicious code that exfiltrated credentials for nearly a month

The pattern is consistent: compromise a developer credential through one supply chain vector, then pivot to a higher-value target through a second. The GitHub breach is the most significant downstream consequence of this strategy to date.

Why developer workstations are the real target

The GitHub breach demonstrates a shift in attacker targeting. Instead of attacking production servers, CI/CD pipelines, or cloud infrastructure directly, TeamPCP targeted the developer workstation, the single point where source code, package-registry tokens, cloud CLI credentials, SSH keys, and AI coding-tool secrets all coexist.

A VS Code extension runs with the full permissions of the user who installed it. There is no sandbox, no permission prompt, and no capability restriction. Any extension can read every file the user can read, execute any command the user can execute, and access any network endpoint the user can reach.

Traditional endpoint detection and response (EDR) tools are not designed to catch this. The malicious payload was 2,777 bytes of JavaScript injected into a minified file, which then fetched a second-stage dropper. EDR tools have no signature for minified JavaScript changes in trusted VS Code extensions. The payload’s behavior (reading .env files, querying cloud metadata endpoints, accessing ~/.ssh/) is indistinguishable from normal developer tooling activity.

This is why the GitHub breach succeeded despite GitHub’s own security posture. The attack did not bypass any server-side control. It simply ran on a machine that already had legitimate access to internal repositories, using credentials that were already present for normal work.

What organizations should do now

Immediate response for potentially affected users

If your organization uses Nx Console in any VS Code-compatible editor and any developer had auto-update enabled during the exposure window on 18 May 2026:

Update Nx Console to v18.100.0 or later across all editors (VS Code, Cursor, Windsurf, and others).
Check for indicators of compromise: Look for ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*, and processes with __DAEMONIZED=1 in their environment.
Kill active malicious processes and remove persistence artifacts, including unloading the macOS LaunchAgent before deleting it.
Rotate every credential reachable from the affected machine, including GitHub PATs, npm tokens, AWS credentials, Vault tokens, Kubernetes service accounts, SSH keys, Docker credentials, 1Password items accessed via the op CLI, AI assistant credentials, and .env secrets.
Audit downstream activity: Review GitHub audit logs, Actions secret reads, npm publish history, Sigstore transparency entries, cloud secret-manager access logs, and DNS/API traffic from affected machines.

For a complete list of indicators of compromise and file hashes, see Corgea’s Nx Console credential stealer analysis.

Organizational defenses against extension supply chain attacks

Enforce extension allowlists. VS Code supports the extensions.allowed enterprise policy to constrain which publishers and extensions can be installed. Use it.

Disable or delay auto-update. The most effective single control is to prevent immediate auto-update of extensions. A 48-hour delay between publication and auto-update would have prevented this breach entirely, since the malicious version was pulled within 18 minutes. VS Code’s extensions.autoUpdate setting can be set to false at the organizational level, though this places the update burden on developers.

Treat developer workstations as high-value targets. Developer machines typically have credentials for source control, package registries, cloud providers, secret managers, and CI/CD systems simultaneously. Apply the same security controls you would to a production server: credential rotation schedules, least-privilege access, hardware security keys for critical accounts, and monitoring for anomalous access patterns.

Scope credentials narrowly. The damage from this breach was amplified because a single workstation had credentials that could reach GitHub’s internal repositories. Minimize the blast radius by using short-lived tokens, scoping personal access tokens to specific repositories, requiring SSO re-authentication for sensitive operations, and avoiding long-lived credentials on developer machines where possible.

Monitor for supply chain compromise signals. Track advisories for packages and extensions your organization depends on. Subscribe to GitHub Security Advisories, npm audit feeds, and security mailing lists for your critical dependencies. The time between a compromise being published and a malicious version being pulled is the window that matters.

Audit your extension and package inventory. Most security teams have no visibility into which VS Code extensions or npm packages are installed on developer machines. Build that inventory. You cannot defend what you cannot see.