Terminal window with green code on a dark screen

TL;DR:

  • What happened: TeamPCP (tracked as UNC6780) poisoned the Nx Console VS Code extension (used by 2.2 million developers) and used it to breach GitHub’s internal infrastructure. They exfiltrated roughly 3,800 internal repositories. The malicious extension was live on the VS Code Marketplace for just 11 minutes before being pulled. [1][2]
  • How it worked: The attackers first stole a contributor’s personal access token in a separate attack, used it to push an “orphan commit” containing malware to the Nx repository, then published a poisoned version (v18.95.0) to the VS Code Marketplace. VS Code’s auto-update delivered it instantly to anyone with Nx Console installed. [2][3]
  • The worm: The payload deployed Mini Shai-Hulud, a self-replicating credential-stealing worm that harvests GitHub tokens, npm credentials, AWS keys, SSH keys, and Vault secrets, then uses those stolen credentials to automatically publish infected versions of every package the victim maintains. One compromised developer becomes a vector for hundreds of downstream attacks. [2][3]
  • Who else got hit: The same worm already compromised TanStack (84 malicious versions across 42 packages), OpenAI, Mistral AI, Grafana Labs, and organizations in the @uipath, @opensearch-project, and @antv npm namespaces. [2][3]
  • The ask: TeamPCP is selling the stolen GitHub repos for $95,000 and threatens to leak them publicly if nobody buys. [1]

Eleven Minutes Was Plenty

At 12:36 UTC on May 18, 2026, a poisoned version of Nx Console hit the VS Code Marketplace. At 12:47 UTC (eleven minutes later) it was detected and pulled. [2]

Eleven minutes. That was enough time for VS Code’s auto-update to push version 18.95.0 to machines around the world, including at least one GitHub employee’s workstation. The extension looked and behaved like the real Nx Console. It ran the same UI, handled the same workspace tools. But on startup, it silently executed a single shell command that downloaded a credential stealer. [1][2]

Security researcher Charlie Eriksen put it bluntly: “VS Code extensions have full access to everything on the developer’s machine, including credentials, cloud keys, and SSH keys.” [1]

The result: TeamPCP walked out with approximately 3,800 of GitHub’s internal repositories. GitHub confirmed the breach on May 20, stating they found “no evidence of customer data theft outside internal repos,” though the investigation is ongoing. GitHub said: “Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.” [1]

The Attack Chain: Stolen Token to Corporate Breach

This wasn’t a smash-and-grab. TeamPCP built on weeks of prior compromise.

First, they stole a personal access token from a contributor to the nrwl/nx repository, likely during an earlier supply chain attack. That token gave them push access to the repo and, critically, VS Code Marketplace publishing credentials (VSCE_PAT). [2]

On May 18 at 03:18 UTC, the attackers pushed an “orphan commit” (557b09d7) to the Nx repo with a spoofed author identity. The commit replaced the legitimate monorepo with two files: a package.json and an obfuscated index.js totaling 498 KB. Nine hours later, they published nrwl.angular-console v18.95.0 to the Marketplace with 2,777 bytes of malicious code injected into the minified main.js. [2]

The timeline:

  • May 18, 03:18 UTC: Orphan commit pushed to nrwl/nx with spoofed identity
  • May 18, 12:36 UTC: Poisoned extension v18.95.0 published to Marketplace
  • May 18, 12:47 UTC: Extension detected and pulled (11 minutes live)
  • May 19: GitHub detects internal compromise; Wiz Research publishes analysis
  • May 20: GitHub confirms 3,800-repo exfiltration

Mini Shai-Hulud: The Worm That Eats Developer Trust

The payload inside the poisoned extension wasn’t just a credential stealer. It was Mini Shai-Hulud, a self-replicating supply chain worm that TeamPCP first deployed in 2025 and has been refining ever since. [2][3]

Here’s how it works, and it’s more sophisticated than anything the supply chain attack space has seen before.

Stage 1: Silent execution. When a developer opens a workspace, the injected code creates a hidden background task that downloads the Bun runtime via npx from the orphan commit. Before doing anything destructive, it checks anti-analysis gates: CPU count must exceed 3, it excludes GitHub Actions environments, and it applies geolocation filtering based on timezone and locale. Lock files prevent duplicate execution. [2]

Stage 2: Credential harvest. Six parallel collector classes run simultaneously, targeting:

  • Vault tokens and authentication endpoints
  • npm configuration and OIDC publishing tokens
  • AWS IMDS and ECS metadata credentials
  • GitHub tokens via pattern matching and /proc/[pid]/mem scraping
  • Filesystem scanning for private keys and connection strings
  • 1Password vault access via the op CLI

That /proc/[pid]/mem technique is particularly nasty. It scrapes the memory of running GitHub Actions Runner processes, looking for the “isSecret:true” JSON envelope that marks masked secrets. It extracts secret values directly from process memory. [2]

Stage 3: Self-replication. This is what makes Mini Shai-Hulud a worm, not just malware. Once it has your npm publishing credentials, its findNpmTokens() routine enumerates every package you can publish. Then it republishes each one with the worm attached as a preinstall hook. One compromised developer becomes a vector for every downstream user of every package they maintain. [2]

In the May 11 TanStack wave alone, this mechanism produced 84 malicious versions across 42 packages, which spread to over 170 downstream packages including @uipath, @mistralai, and @opensearch-project. [2]

Three Ways Out, All Encrypted

Harvested credentials are buffered until they reach a 102,400-byte threshold, then dispatched through three independent exfiltration channels: [2]

  • HTTPS POST to double-encrypted command-and-control domains using PBKDF2 with 200,000 SHA-512 iterations
  • GitHub API exfiltration: creating commits and releases on victim repositories (hiding stolen data in the victim’s own infrastructure)
  • DNS tunneling as a fallback channel

All data uses hybrid AES-256-GCM plus RSA-OAEP encryption with zlib compression. If the collection succeeds, the payload writes a Python backdoor to ~/.local/share/kitty/cat.py and registers it as a macOS LaunchAgent with hourly polling. The backdoor queries the GitHub API for specially crafted commit messages containing base64-encoded payloads signed with RSA-PSS, using GitHub itself as a dead-drop channel that corporate firewalls rarely block. [2]

It Forges the Safety Stamps Too

Here’s the detail that should keep security engineers up at night.

With stolen OIDC tokens, Mini Shai-Hulud can publish npm packages with valid, verifiable Sigstore provenance attestations. These packages pass signature verification and SLSA validation. The industry has spent years building signed-provenance systems as a defense against supply chain attacks. This worm defeats that defense by forging the attestations using the victim’s own credentials. [2]

Your package has a valid signature. It passes every automated supply chain security check. And it’s compromised.

The Body Count So Far

GitHub isn’t the only victim. TeamPCP has been running this playbook for months, and the list keeps growing: [1][2][3]

  • GitHub: ~3,800 internal repositories exfiltrated (May 18-20)
  • TanStack: 84 malicious versions across 42 packages, spreading to 170+ downstream packages (May 11)
  • OpenAI: Employee device compromises during the TanStack wave
  • Mistral AI: Employee device compromises; @mistralai npm namespace infected
  • Grafana Labs: Employee device compromises
  • @antv namespace: 317+ malicious versions across two attack waves
  • Aqua’s Trivy security scanner, CheckMarx’s KICS, LiteLLM, and the Telnyx SDK: all previously compromised

TeamPCP is selling the GitHub repos for $95,000 and threatening to leak everything if nobody pays. [1]

Your IDE Is a Surveillance Vector Now

The surveillance angle here is straightforward: your development tools have become attack surfaces for mass credential harvesting.

VS Code extensions run with the same permissions as your user account. They can read every file, access every credential store, scrape process memory, and phone home to any server. The Marketplace’s review process failed to prevent a poisoned extension from reaching 2.2 million potential targets. Auto-update meant a single compromised developer’s workstation became a foothold into GitHub’s entire internal codebase. [1][2]

None of these compromises produced a CVE. Traditional vulnerability scanners don’t flag malicious extensions because they’re not looking for working malware in your IDE. They’re looking for known bugs in libraries. Mini Shai-Hulud exploits features working as designed. VS Code auto-execution, npm lifecycle scripts, GitHub API access: all legitimate functionality, all weaponized. [2]

This is what Phoenix Security calls the “zero-CVE supply chain gap”: attacks that operate entirely outside traditional vulnerability detection frameworks. [2]

What You Can Do Right Now

  • Update Nx Console to v18.100.0 or later immediately [2]
  • Rotate everything. If you had Nx Console installed between May 18 12:36 and 12:47 UTC, rotate all credentials reachable from your machine: GitHub tokens, npm tokens, AWS keys, SSH keys, Vault secrets, everything
  • Check for persistence. Look for ~/.local/share/kitty/cat.py and any unexpected macOS LaunchAgent entries. Remove them
  • Set task.allowAutomaticTasks to “off” in your VS Code settings. This prevents extensions from auto-executing tasks on workspace open
  • Set ignore-scripts=true in your CI npm configuration to block lifecycle script attacks
  • Lock down your VS Code extensions. Maintain an allowlist. Don’t auto-update extensions from the Marketplace without review
  • Watch for indicators: Unexpected bun or bunx processes, outbound connections from VS Code to non-vendor domains, /proc/[pid]/mem reads from CI runners, DNS queries to *.lhr.life or *.icp0.io [2]
  • Audit your npm publishing scope. Check every package you have publish access to. If you were compromised, the worm may have already published infected versions under your name

The Bigger Picture

Mini Shai-Hulud isn’t a one-off attack. It’s infrastructure for automating supply chain compromise at scale. One stolen token cascades into hundreds of poisoned packages, each carrying the worm to the next set of victims. The PyTorch Lightning attack in early May used the same worm. The Telnyx SDK compromise was the same group.

TeamPCP has figured out that developer trust infrastructure (package registries, extension marketplaces, CI/CD systems) is the softest target in the software supply chain. They’re not finding bugs. They’re exploiting the fact that developers install tools and trust them implicitly.

Eleven minutes. 3,800 repos. One VS Code extension. The math on developer trust just changed.

Sources

  1. Help Net Security: TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension (May 20, 2026)
  2. Phoenix Security: GitHub Internal Repository Breach via Poisoned VS Code Extension: TeamPCP Exfiltrates 3,800 Repos Through the Developer Trust Surface (May 2026)
  3. The Hacker News: GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension (May 2026)
  4. VentureBeat: GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK (May 2026)
  5. OX Security: TeamPCP Strikes Again: How a Trojan VS Code Extension Brought Down GitHub (May 2026)