- TeamPCP exfiltrated approximately 3,800 GitHub internal repositories after an employee installed a poisoned VS Code extension
- The same supply chain group compromised the Nx Console extension with 2.2 million installations just a day earlier, targeting developer credentials and Claude Code configs
- VS Code extensions have unrestricted access to developer machines including SSH keys, cloud tokens, and CI/CD secrets—most security teams have zero visibility into what extensions are installed
GitHub confirmed that roughly 3,800 of its own internal repositories were exfiltrated after an employee installed a malicious Visual Studio Code extension. TeamPCP claimed the breach on an underground forum, offering the stolen source code for $50,000. GitHub acknowledged the incident within five hours.
The attack vector was straightforward: a single poisoned VS Code extension on one employee’s device gave attackers access to thousands of internal code repositories. GitHub immediately rotated critical secrets and said it continues to analyze logs and monitor for follow-on activity.
Developer Workstations Are the New Perimeter
The GitHub breach lands a day after a separate TeamPCP operation compromised the Nx Console VS Code extension, which has over 2.2 million installations. Per StepSecurity’s analysis, the malicious version silently fetched a 498 KB obfuscated payload that harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password. It exfiltrated data over HTTPS, the GitHub API, and DNS tunneling, and installed a persistent Python backdoor on macOS.
The Nx Console payload also targeted Claude Code configuration files—one of the first known supply chain attacks designed to harvest AI coding assistant credentials. It included Sigstore integration, enabling the attacker to publish downstream npm packages with valid cryptographic provenance. The malicious version was live for approximately 11 minutes before the Nx team pulled it.
According to Palo Alto Unit 42, TeamPCP has compromised Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK since February 2026, exfiltrating over 300 GB of data from 500,000 infected machines. Aikido Security notes that most security teams have zero visibility into what extensions sit on their developers’ workstations.
GitHub promised a full incident report later. This is the same platform that hosted the CISA contractor repository that exposed AWS GovCloud keys for six months. The developer ecosystem’s attack surface keeps widening—from pre-auth API flaws in AI gateways to poisoned IDE extensions. The common thread: elevated developer trust meets zero endpoint scrutiny.
FAQ
What is TeamPCP?
A supply chain hacking group active since February 2026 that systematically compromises open-source security tools and developer tooling. It has exfiltrated data from an estimated 500,000 machines.
How did the GitHub breach happen?
A GitHub employee installed a malicious VS Code extension, which gave attackers access to the employee’s credentials and approximately 3,800 internal repositories.
Was GitHub user code affected?
GitHub stated the exfiltration involved internal repositories only. The company has rotated critical secrets and is monitoring for follow-on activity.
[Editor’s note: This article was updated on May 20, 2026 to correct two claims. (1) The Nx Console compromise occurred one day before the GitHub breach disclosure, not two days—StepSecurity’s update and Aikido Security’s analysis both confirm GitHub disclosed on May 19, 2026, the day after the Nx Console incident on May 18. (2) The characterization of the Nx Console attack as “the first” supply chain attack targeting AI coding assistant credentials was changed to “one of the first”—Snyk’s analysis of the earlier Mini Shai-Hulud/TanStack attack (May 11, 2026) documents Claude Code credential harvesting and persistence via .claude/settings.json predating the Nx Console incident. Per StepSecurity and Snyk.]