GitHub Lost 3,800 Internal Repos in 18 Minutes — A Poisoned 'Nx Console' Extension Was the Front Door

Here's the deal: one extension developers trust every day opened GitHub's insides

On May 18, the cybercrime group TeamPCP (aka UNC6780) exfiltrated about 3,800 of GitHub's internal repositories. The front door was almost insultingly ordinary: a trojanized VS Code extension called Nx Console (nrwl.angular-console, v18.95.0), installed by one GitHub employee. The same extension countless developers have installed at some point became the weapon.

The most chilling detail is the timing. The malicious build was live on the Visual Studio Marketplace for just 18 minutes — 12:30 to 12:48 UTC on May 18. And 18 minutes was plenty. The moment a developer opened any workspace, the extension silently ran a shell command that pulled a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repo. Hiding it in the legitimate repo made it sneakier.

The payload was a credential stealer. Its targets: (1) 1Password vaults, (2) Anthropic Claude Code's config file (~/.claude/settings.json), and (3) npm, GitHub and AWS tokens. The fact that an AI coding tool's config file was a target is the signature of this era — the credentials of AI agents living on developer machines are now top-tier loot.

And this wasn't a one-off. It's part of the "Mini Shai-Hulud" worm campaign. It began May 11 across TanStack's npm ecosystem (170+ packages; CVE-2026-45321, CVSS 9.6), and the damage didn't stop at GitHub. It also caught OpenAI (two infected employee devices; its macOS app code-signing cert to be fully revoked June 12), Mistral AI (a $25K Monero extortion demand), the European Commission, and Grafana Labs. GitHub said the attacker's "claim of ~3,800 repositories is directionally consistent" with its investigation.

The players — TeamPCP, GitHub, Nx, and the AI labs caught in it

TeamPCP (UNC6780). A group that's built notoriety with large-scale software supply-chain attacks. Its hallmark is smart targeting — it goes after open-source projects and security-adjacent tools that developers broadly depend on, picking high-leverage points where one breach cascades to thousands downstream. It's reportedly trying to sell the stolen data.

GitHub. Peak irony. The platform the world's developers trust with their code got its insides looted via a staffer's trojanized extension. GitHub CISO Alexis Wales is leading the response. GitHub drew a line — "no evidence customer data outside internal repos was affected" — but the trust hit is unavoidable.

Nx / nrwl. Nx Console is a popular VS Code extension for the Nx monorepo toolchain. Nx CEO Jeff Cross said the company is working with Microsoft and GitHub on impact, warning the real install count may exceed 6,000 — far above Microsoft's initial figure of 28. The first domino was an Nx developer's system getting popped in the TanStack fallout.

The AI labs caught in it. OpenAI had two employee devices infected and will fully revoke its macOS app code-signing certificate on June 12. Mistral got a $25K Monero extortion demand; the EU Commission and Grafana Labs trace to the same root (TanStack → Nx). With AI coding-tool configs as targets, this campaign is a wake-up call for supply-chain security in the AI-dev-tooling era.

What happened — how the attack chain worked

Stage 1: TanStack npm compromise (May 11). It started with 170+ packages in the popular TanStack npm ecosystem being poisoned. Tracked as CVE-2026-45321 (CVSS 9.6), it infected systems of developers and orgs depending on TanStack — including an Nx developer's machine.

Stage 2: Nx Console extension trojanized (May 18). Using the popped Nx developer credentials, the attacker published the malicious v18.95.0 to the Marketplace. Just 18 minutes — but developer machines with auto-update on grabbed it in that window. On launch, the extension fetched and ran the payload via a shell command.

Stage 3: credential theft. The payload collected 1Password vaults, ~/.claude/settings.json (Claude Code tokens), and npm/GitHub/AWS tokens. The broad permissions AI coding agents hold (repo access, deploy rights) risked landing straight in attacker hands.

Stage 4: GitHub internal access. With the infected GitHub employee's credentials, the attacker accessed and exfiltrated about 3,800 internal repositories. GitHub says customer data (external repos) is unaffected, but the leak of internal code and configs can become a blueprint for future attacks.

Stage	When	What	Key risk
TanStack compromise	May 11	170+ npm packages poisoned (CVE-2026-45321)	Broad downstream infection
Nx Console trojanized	May 18, 12:30 UTC	Malicious v18.95.0 published (18 min)	Spread via auto-update
Credential theft	May 18	1Password / Claude config / tokens collected	AI agent permissions stolen
GitHub intrusion	May 18–20	~3,800 internal repos exfiltrated	Internal code/config exposed

Who gains, who loses

The attacker (TeamPCP). Massive leverage. An 18-minute window netted GitHub's 3,800 internal repos plus credentials from multiple AI labs. It's monetizing directly via data sales and extortion (the Mistral case). It re-proved that hitting "developer trust infrastructure" maximizes ROI.

GitHub / Microsoft (loss). The trust hit is the big one. Both the Marketplace's extension vetting (it allowed a malicious publish even for 18 minutes) and employee endpoint security are now under scrutiny. The fast detection, disclosure and cert revocation earn some credit for transparency.

A jolt for the AI-coding-tool ecosystem. Anthropic Claude Code, OpenAI and other agent tools learned that config files like ~/.claude/settings.json are prime targets. The more powerful the agent, the more essential credential protection, least-privilege, and token rotation become. Call it forced security maturity, not a loss.

The security industry (gain). Demand surges for supply-chain security firms — StepSecurity, Socket, Sophos, ox.security. "Don't trust extensions or packages by default" — zero-trust supply-chain security — just got an empirical proof point.

Precedents — wins and failures

Shai-Hulud worm (2025). The namesake of this "Mini Shai-Hulud." A worm that self-replicated through the npm ecosystem, stealing credentials and re-infecting packages. It first seared the danger of self-propagating supply-chain worms into public consciousness. This is a smaller variant arriving via the VS Code extension route.

SolarWinds (2020). The textbook supply-chain attack. A backdoor planted in the build system shipped to 18,000 customers. It showed that a "trusted update channel" can be weaponized. The Nx case rhymes — a "trusted Marketplace update" played the same role.

xz utils backdoor (2024). A sophisticated long-game attempt to plant a backdoor in a core open-source library. Caught in time, but it exposed the fragility of the open-source dependency chain. The TanStack → Nx → GitHub cascade is exactly that chained risk made real.

Codecov (2021). The CI tool's Bash uploader was tampered with, leaking customer environment variables (tokens). It proved the formula "dev tools = a trove of credentials." Here too the target was precisely credentials — only now with AI agent tokens added.

How the defenders counter

Microsoft (VS Code Marketplace). Tighter extension vetting is unavoidable — pre-publish signature checks, anomaly detection, and fast post-publish takedown. That "18 minutes" was possible at all exposes a gap in automated review.

Supply-chain security firms (Socket, StepSecurity, ox.security). Expect "extend monitoring to IDE extensions and CI plugins" as the sales pitch. Demand grows for install-time behavior analysis, token-leak detection, and dangling-commit scanning.

AI coding tool vendors (Anthropic, OpenAI, Cursor). Look for built-in defenses: config encryption, short-lived auto-rotating tokens, least-privilege defaults, and blocking suspicious shell execution. They have to solve the paradox — the more powerful the agent, the worse the blast radius when stolen — in product design.

Enterprise security teams. Re-examine developer-endpoint EDR, extension allowlists, and auto-update policy. Assuming "developers will install anything for convenience," the counter is extending zero-trust into the IDE and CI layers.

So what actually changes — by persona

Developers. The most direct lesson: don't blindly trust auto-updates for VS Code extensions and npm packages. (1) Reconsider extension auto-update; (2) audit and rotate AI-tool configs/tokens like ~/.claude/settings.json; (3) harden your password-manager master security. If you pulled v18.95.0, rotate all credentials immediately.

AI agent users. If you use Claude Code or Codex, understand what those tokens can do first. A leaked token with repo-write or deploy rights is high-blast-radius. Use least-privilege tokens, short expiry, and suspicious-activity alerts.

Security / platform teams. Bring IDE extensions and CI plugins into your SBOM scope. Marketplace trust alone is proven insufficient. Prioritize extension allowlists, behavior-based detection, and automated credential rotation.

Executives / CISOs. This signals that AI-era supply-chain attacks target credentials and AI agent permissions together. It's justification to extend security budget beyond endpoints into the developer toolchain layer. Design assuming "we, too, can be breached via a single employee laptop, like GitHub."

Policy and regulators. Tellingly, this hit the very week Trump scrapped his AI security executive order. Expect it cited as counter-evidence that "AI security threats are real." It could give momentum to SBOM mandates and stronger extension-marketplace accountability.

References

• Help Net Security — TeamPCP breached GitHub's internal codebase via poisoned VS Code extension
• The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
• BleepingComputer — GitHub links repo breach to TanStack npm supply-chain attack
• GitHub Security Advisory — Compromised Nx Console version 18.95.0 (GHSA-c9j4-9m59-847w)
• Infosecurity Magazine — GitHub Breach Traced to Malicious 'Nx Console' VS Code Extension