VS Code Extension Breach Exposes 3,800 GitHub Repositories

Security reporting shows a coordinated developer-supply-chain campaign that reached major developer platforms. SecurityWeek reports GitHub confirmed that approximately 3,800 internal repositories were accessed after an employee installed a poisoned Visual Studio Code extension, and BleepingComputer and Notebookcheck identify the trojanized extension as a malicious build of Nx Console 18.95.0 that was live on the Visual Studio Marketplace for roughly 18 minutes. Notebookcheck and BleepingComputer link the compromise to the broader TanStack npm and PyPI campaign, which researchers and multiple outlets have codenamed "Mini Shai-Hulud" and attribute to threat actor group TeamPCP.

Notebookcheck reports the initial TanStack compromise exploited multiple packages and references a tracked vulnerability, CVE-2026-45321, with a CVSS score reported at 9.6. Per Notebookcheck and Tom's Hardware, the poisoned extension executed a startup shell command that downloaded a hidden package from a planted commit and deployed a credential-stealing payload targeting local vaults and tokens (examples named by reporting include 1Password, npm tokens, GitHub tokens, and cloud credentials). Tom's Hardware describes a related compromise of the mistralai PyPI package that silently downloaded a second-stage payload named transformers.pyz and executed it on Linux, with credential-exfiltration logic and geo-aware behavior noted in reporting.

BleepingComputer and SecurityWeek report GitHub rotated critical secrets, secured the affected device, and said its current assessment is that the activity involved exfiltration of internal GitHub repositories only. Notebookcheck quotes GitHub CISO Alexis Wales saying there is "no evidence of impact to customer information stored outside of GitHub's internal repositories." OpenAI published an advisory reported by BleepingComputer saying two employee devices were breached, that limited internal repositories to which those employees had access showed unauthorized access, and that OpenAI rotated code-signing certificates and isolated affected systems.

Editorial analysis: Public reporting frames this incident as part of an escalating pattern of supply-chain intrusions targeting developer tooling and packages. Observed campaigns in 2026, as documented by Notebookcheck, BleepingComputer, and Tom's Hardware, have repeatedly abused package ecosystems and developer IDE extensions to harvest CI/CD and cloud credentials.

Editorial analysis: Organizations tracking comparable incidents should prioritize visibility on developer endpoints and extension installs, credential rotation processes, and pipeline-level segmentation. Industry reporting highlights that a single compromised developer workstation can enable lateral access into CI/CD systems and internal repos when tokens and secrets are available on-device.

Follow GitHub's promised full incident report (SecurityWeek) for a timeline and root-cause details, monitor OpenAI advisories for any updates to impacted artifacts (BleepingComputer), and watch technical write-ups from Microsoft and independent researchers for indicators of compromise and extracted IoCs related to the mistralai and TanStack packages (Tom's Hardware). Observers will also look for any vetted attribution updates around TeamPCP as more forensic detail becomes public.

Editorial analysis: Reporting across multiple outlets frames this as a high-impact supply-chain incident that reinforces long-standing operational risks around developer environment security, package provenance, and the blast radius of local credential exposure. Practitioners should treat the event as an example of how quickly developer-facing compromises can cascade into platform-level repository exfiltration, per the public reporting cited above.