Security & Risksupply chainvscode extensiontanstackteampcp

VS Code Extension Breach Exposes 3,800 GitHub Repositories

||By LDS Team
8.7
Relevance Score
VS Code Extension Breach Exposes 3,800 GitHub Repositories
Photo: notebookcheck.net · rights & takedowns

SecurityWeek reports GitHub confirmed that approximately 3,800 internal repositories were accessed after a poisoned Visual Studio Code extension was installed on a developer device, according to SecurityWeek and BleepingComputer. Notebookcheck and BleepingComputer report the malicious build was a trojanized version of Nx Console 18.95.0 published to the Visual Studio Marketplace for about 18 minutes and linked to the broader TanStack npm/PyPI compromise. Multiple outlets attribute the campaign, codenamed "Mini Shai-Hulud," to threat actor group TeamPCP (Notebookcheck, BleepingComputer, Tom's Hardware). OpenAI confirmed two employee devices were breached and rotated code-signing certificates, per BleepingComputer and OpenAI advisories. Tom's Hardware and other reporting say a compromised mistralai PyPI package and other tainted packages were part of the same campaign.

What happened

Security reporting shows a coordinated developer-supply-chain campaign that reached major developer platforms. SecurityWeek reports GitHub confirmed that approximately 3,800 internal repositories were accessed after an employee installed a poisoned Visual Studio Code extension, and BleepingComputer and Notebookcheck identify the trojanized extension as a malicious build of Nx Console 18.95.0 that was live on the Visual Studio Marketplace for roughly 18 minutes. Notebookcheck and BleepingComputer link the compromise to the broader TanStack npm and PyPI campaign, which researchers and multiple outlets have codenamed "Mini Shai-Hulud" and attribute to threat actor group TeamPCP.

Technical details

Notebookcheck reports the initial TanStack compromise exploited multiple packages and references a tracked vulnerability, CVE-2026-45321, with a CVSS score reported at 9.6. Per Notebookcheck and Tom's Hardware, the poisoned extension executed a startup shell command that downloaded a hidden package from a planted commit and deployed a credential-stealing payload targeting local vaults and tokens (examples named by reporting include 1Password, npm tokens, GitHub tokens, and cloud credentials). Tom's Hardware describes a related compromise of the mistralai PyPI package that silently downloaded a second-stage payload named transformers.pyz and executed it on Linux, with credential-exfiltration logic and geo-aware behavior noted in reporting.

What was affected and vendor responses

BleepingComputer and SecurityWeek report GitHub rotated critical secrets, secured the affected device, and said its current assessment is that the activity involved exfiltration of internal GitHub repositories only. Notebookcheck quotes GitHub CISO Alexis Wales saying there is "no evidence of impact to customer information stored outside of GitHub's internal repositories." OpenAI published an advisory reported by BleepingComputer saying two employee devices were breached, that limited internal repositories to which those employees had access showed unauthorized access, and that OpenAI rotated code-signing certificates and isolated affected systems.

Industry context

Editorial analysis: Public reporting frames this incident as part of an escalating pattern of supply-chain intrusions targeting developer tooling and packages. Observed campaigns in 2026, as documented by Notebookcheck, BleepingComputer, and Tom's Hardware, have repeatedly abused package ecosystems and developer IDE extensions to harvest CI/CD and cloud credentials.

For practitioners

Editorial analysis: Organizations tracking comparable incidents should prioritize visibility on developer endpoints and extension installs, credential rotation processes, and pipeline-level segmentation. Industry reporting highlights that a single compromised developer workstation can enable lateral access into CI/CD systems and internal repos when tokens and secrets are available on-device.

What to watch

Follow GitHub's promised full incident report (SecurityWeek) for a timeline and root-cause details, monitor OpenAI advisories for any updates to impacted artifacts (BleepingComputer), and watch technical write-ups from Microsoft and independent researchers for indicators of compromise and extracted IoCs related to the mistralai and TanStack packages (Tom's Hardware). Observers will also look for any vetted attribution updates around TeamPCP as more forensic detail becomes public.

Bottom line

Editorial analysis: Reporting across multiple outlets frames this as a high-impact supply-chain incident that reinforces long-standing operational risks around developer environment security, package provenance, and the blast radius of local credential exposure. Practitioners should treat the event as an example of how quickly developer-facing compromises can cascade into platform-level repository exfiltration, per the public reporting cited above.

Key Points

  • 1A poisoned VS Code extension, identified as Nx Console 18.95.0, was live for about 18 minutes and enabled access to roughly 3,800 internal GitHub repos.
  • 2The breach is tied to the TanStack npm/PyPI campaign, codenamed "Mini Shai-Hulud," which reporting attributes to TeamPCP and includes compromised PyPI packages like mistralai.
  • 3Industry reporting highlights that developer endpoints and IDE extensions remain high-value vectors, increasing the need for endpoint visibility and rapid secret rotation processes.

Scoring Rationale

This incident compromises major developer infrastructure (GitHub, OpenAI, Mistral AI) and involves widespread package and extension poisoning, making it a high-impact supply-chain event with broad operational implications for practitioners.

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems