At 12:30 p.m. UTC on May 18, a new version of a developer tool quietly went live on Microsoft's Visual Studio Marketplace. It was Nx Console, version 18.95.0, published under the same verified handle the extension had always used, carrying the same blue verified-publisher badge and the same 2.2 million installs that made it one of the most trusted extensions in the JavaScript world. Nothing on the listing looked wrong.
It was malicious. Microsoft pulled it at 12:48 p.m. The poisoned build had been reachable for 18 minutes.
That window should have been a non-event. Instead, by the end of the week GitHub's Chief Information Security Officer was confirming that attackers had used it to exfiltrate roughly 3,800 of GitHub's internal source code repositories, and security teams at OpenAI, Grafana Labs, and Mistral AI were tracing their own compromises back to the same campaign. The most consequential developer breach of the year did not come through a firewall. It came through an extension that millions of engineers had already chosen to trust.
The Extension Carried No Malware of Its Own
The mechanism is what makes this attack worth studying. According to a technical teardown by OX Security researcher Nir Zadok, the poisoned version of Nx Console shipped with no credential-stealing code inside it. A scan of the extension itself would have come back clean.
On startup, the extension ran a single shell command. That command fetched a hidden package called nx-next from a planted commit sitting in the official nrwl/nx GitHub repository, and it disguised the request as a routine Nx Model Context Protocol setup task, the kind of background step a developer tool runs all the time. The downloaded payload, which Google Threat Intelligence Group identified as a credential stealer it tracks as SANDCLOCK, then ran silently in the background.
SANDCLOCK was built to drain a developer machine. Infosecurity Magazine's accounting of what it harvested reads like an inventory of everything a modern engineer keeps on their laptop:
- GitHub personal access tokens, OAuth tokens, and app tokens
- npm authentication tokens
- AWS credentials pulled from instance metadata and environment variables
- HashiCorp Vault tokens and Kubernetes service account secrets
- 1Password CLI sessions, SSH private keys, and Google Cloud and Docker credentials
- Claude Code configuration files
That last item matters for anyone running AI coding agents locally. The stealer treated a developer's Claude Code setup as just another credential store worth emptying, the same logic that drove the LiteLLM backdoor campaign earlier this year. Stolen data left the machine through three independent channels at once: encrypted HTTPS to a remote server, the GitHub API using the victim's own freshly stolen tokens, and DNS tunneling as a fallback. Blocking any one route did not stop the bleed. On macOS, the payload also dropped a persistent Python backdoor named cat.py, which Sophos analysts later recovered from an infected endpoint.
The Trail Started a Week Earlier, in a Web Framework
The Nx Console upload was not the start of the story. It was the second act.
On May 11, TeamPCP compromised 42 TanStack npm packages, the popular open-source tooling many teams use to build web applications, publishing 84 malicious versions stuffed with a credential-stealing payload. One of the machines that pulled those poisoned packages belonged to a legitimate Nx Console developer. The malware lifted that developer's GitHub credentials through the GitHub CLI, and with valid maintainer access in hand, the attacker stopped needing to break anything.
Posing as a real Nx maintainer, TeamPCP pushed a malicious orphan commit into the official nrwl/nx repository and published version 18.95.0 straight to the Visual Studio Marketplace at 12:30 p.m. on May 18. No exploit. No phishing email to the end user. The attack simply rode the publishing pipeline that the ecosystem already treated as legitimate.
Here is the timeline, from the framework compromise to GitHub's confirmation.
Eighteen Minutes Was Never the Real Number
The Marketplace listing was live for 18 minutes, and the open-source community moved fast: Aikido Security and other watchers flagged the poisoned build within roughly that window, and within 36 minutes on Open VSX, the vendor-neutral registry. Microsoft logged the takedown at 12:48 p.m. By the standards of incident response, that is quick.
The official download counters told a reassuring story too. The Nx maintainers later disclosed that version 18.95.0 recorded only 28 downloads on the Marketplace and 41 on Open VSX. If those were the real numbers, this would be a footnote.
They were not the real numbers. Auto-update does not show up in download counts. Jeff Cross, co-founder and CEO of Narwhal Technologies, the company behind Nx, said his team believes the malicious package actually reached more than 6,000 users through silent background updates. One of those 6,000 was a GitHub employee. Their machine became the doorway into GitHub's internal estate.
That is the uncomfortable lesson buried in the math. Detection time barely mattered, because the damage vector was not a human deciding to click install. It was a trusted tool that thousands of machines had been configured, long ago, to update on their own without asking.
GitHub Was Not the Only Victim
GitHub CISO Alexis Wales confirmed the breach publicly on May 21, naming the extension version for the first time in an official capacity. GitHub's position is that the exfiltration was confined to its own internal repositories, with no current evidence that customer data stored outside those repos was touched, though the company stressed the investigation is ongoing.
The list of confirmed casualties runs well past GitHub. Grafana Labs CISO Joe McManus said his company was compromised through the same May 11 TanStack attack, and that a GitHub workflow token missed during the first round of cleanup handed attackers access to Grafana's full codebase. TeamPCP demanded a ransom on May 16. Grafana declined to pay, aligning with FBI guidance, and notified federal law enforcement. Mistral AI confirmed attackers temporarily reached certain non-core repositories on May 12, and two OpenAI employee devices were compromised in the same wave.
TeamPCP, which Google Threat Intelligence Group formally tracks as UNC6780, then tried to sell what it stole. The group first demanded at least $50,000 for the GitHub trove on a criminal forum.
When no buyer immediately surfaced, it raised the asking price to $95,000.
The new listing appeared to pair the group with the Lapsus$ extortion crew, and it came with a threat: TeamPCP promised to delete the data once paid and to leak it for free if no one bought it.
This Is the Seventh Wave, Not the First
None of this is new behavior for the group. Trend Micro has documented at least seven confirmed TeamPCP attack waves since March 2026, a steady march through the tools that sit underneath everyone else's software: Trivy, Checkmarx KICS, LiteLLM, Telnyx, Bitwarden CLI, TanStack, and now the Nx ecosystem. The pattern is consistent across all of them, and it has very little to do with technical brilliance.
The weapon is trust. A verified-publisher badge, a high install count, and distribution through an official marketplace are exactly the signals that make an engineer install something without a second thought. As Charlie Eriksen of Aikido Security put it to Help Net Security, VS Code extensions have full access to everything on a developer's machine, including credentials, cloud keys, and SSH keys. The community keeps getting faster at catching these attacks. The attack model already accounts for that. It needs minutes, not days.
That dynamic should feel familiar to anyone who followed the npm worm that poisoned 317 packages in 20 minutes earlier in May, or the PyTorch Lightning compromise that lasted 42 minutes. The interpreted, plain-text world of extensions and packages runs on a different security layer than the compiled binaries that traditional endpoint detection was built to watch. Auto-update turns a single stolen publisher credential into a global push channel with no review gate in front of it.
The Other Read on This
Not everyone frames the 18-minute window as a failure. Some security engineers point out that the open-source community detected and removed a backdoored build of a 2.2-million-install extension faster than most corporate security teams could have convened a meeting, and argue that the layered registry response, Marketplace plus Open VSX plus the maintainers, is evidence the ecosystem's defenses are maturing, not collapsing.
Narwhal Technologies has responded with concrete changes rather than blame. Cross acknowledged in a public post-incident report that the malicious version was uploaded "without manual approval" from other Nx administrators, and said the publishing pipeline now requires two administrators to sign off on any release. "A lot of the assumptions the ecosystem has operated under for years no longer hold," he wrote, adding that his team has started conversations with other high-profile open-source maintainers about the deeper structural problems in software supply chain security. The fix, in other words, is being treated as a community problem, not a single vendor's mistake.
What Practitioners Should Do This Week
If you run the Nx build system, TanStack, the Mistral AI SDKs, or Grafana tooling, the guidance from GitHub and the responding security firms is direct, and it has a deadline attached to the past.
Any developer who had Nx Console installed and running between 12:30 and 12:48 p.m. UTC on May 18 should assume their machine was compromised and act now.
- Rotate every credential that may have been on a developer machine during the window: npm tokens, GitHub personal access tokens, AWS keys, and anything stored in 1Password.
- Audit your extension inventory and enforce an allowlist of approved VS Code extensions across developer workstations.
- Review CI/CD pipeline permissions for signs of lateral movement, the exact gap that cost Grafana Labs its codebase.
- Check macOS endpoints for the
cat.pybackdoor at/Users/%/.local/share/kitty/cat.py. - Upgrade Nx Console to version 18.100.0 or later, which the maintainers released to remediate the issue.
The breach now carries the identifier CVE-2026-48027, and GitHub has pledged a full post-incident report once its investigation closes.
The Bottom Line
The scariest detail of this breach is not the 3,800 repositories or the ransom listing. It is how ordinary the entry point was. A developer at GitHub, a company whose entire business is hosting and securing code, did nothing wrong by the usual rules. They had a popular, verified extension installed, and they let it update itself, which is what every guide on the internet tells you to do.
The supply chain attack has quietly become the most reliable way to reach a high-value target, because it inverts the defender's instincts. The tools engineers are told to trust are precisely the ones with full read access to their secrets, and the auto-update mechanisms that keep those tools patched are the same mechanisms that ship a backdoor to six thousand machines before anyone notices. TeamPCP did not beat GitHub's security. It borrowed a credential and walked through a door the whole industry leaves open on purpose.
The window was 18 minutes. The question every engineering org should be sitting with is simpler and harder: how long is your own window, and would you even know it had opened?
Sources
- TeamPCP breached GitHub's internal codebase via poisoned VS Code extension — Help Net Security, May 20, 2026
- GitHub CISO Names Nx Console as Root of 3,800-Repo Breach: OpenAI, Grafana Also Hit — Tech Times, May 21, 2026
- GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension — The Hacker News, May 2026
- GitHub Breach Traced to Malicious 'Nx Console' VS Code Extension — Infosecurity Magazine, May 2026
- AI News Today — May 23, 2026: 12 Biggest Stories — Build Fast with AI, May 23, 2026