How TeamPCP Used a Poisoned Nx Console Extension to Breach GitHub's Internal Repositories

Photo by Abu Saeid on Unsplash

A malicious build of the Nx Console VS Code extension was live on the Visual Studio Marketplace for less than 20 minutes on May 18, 2026, and that window was enough for threat actor TeamPCP to exfiltrate roughly 3,800 GitHub-internal repositories. The GitHub supply chain attack 2026 incident is now tracked as CVE-2026-48027, and it is one of the rare breaches where the malware spent more time hiding inside an official repository than it did sitting on the marketplace.

Nx Console is not a fringe tool. According to StepSecurity's technical writeup, the compromised nrwl.angular-console v18.95.0 build was pushed to a marketplace listing with more than 2.2 million installations, and the extension's verified publisher badge gave the poisoned release a veneer of trust that automated tooling and developers alike honored without question.

The 18-Minute Window That Cost GitHub 3,800 Repositories

Reports of the exposure window disagree by a few minutes. The Hacker News places the malicious build on the marketplace between 12:30 p.m. and 12:48 p.m. UTC, an 18-minute window, while StepSecurity and other trackers log roughly 11 minutes between 12:36 and 12:47 UTC. Both figures come from reporting rather than a single authoritative timeline, and the difference matters less than what happened inside it.

GitHub's own incident response was blunt about scale. Help Net Security quoted GitHub confirming that the attacker's claim of roughly 3,800 repositories was "directionally consistent" with the company's investigation, and that GitHub had "removed the malicious extension version, isolated the endpoint, and began incident response immediately."

GitHub CISO Alexis Wales told The Hacker News the company has "no evidence of impact to customer information stored outside of GitHub's internal repositories," including customer enterprises, organizations, and repositories. That is a meaningful boundary. It is also a narrower assurance than it first reads: internal repositories at a company that runs the world's largest source-code platform are not low-value targets, even if customer data was spared.

TeamPCP is not treating this as contained. Help Net Security reports the group is selling the stolen contents and has threatened to leak the trove if no buyer surfaces, which complicates any clean-shutdown narrative GitHub or Nx would prefer to tell.

How the Nx Console VS Code Extension Compromised Itself From Inside Nx's Own Repo

The most interesting forensic detail is where the payload lived. Cybersecurity News documents that the orphan commit carrying the malware was pushed to the official nrwl/nx GitHub repository at 03:18 UTC, then sat dormant for roughly nine hours before the matching extension build went live at 12:36 UTC. A dangling orphan commit is not reachable from any branch, which means it does not appear in normal repo browsing, but it remains fetchable by anyone who knows the commit hash.

That is the trick. StepSecurity reports that within seconds of a developer opening any workspace, the malicious extension silently fetched and executed a 498 KB obfuscated payload from commit 558b09d7 inside the real nrwl/nx repo. The malware was hosted by its victim, served over GitHub's CDN, and indistinguishable at the network layer from a routine git fetch.

The injection footprint inside the extension was almost insulting in its size. Cybersecurity News measured the malicious code added to the minified main.js at just 2,777 bytes. Two-and-a-half kilobytes of loader, pointed at a hidden orphan commit, against a developer base in the millions.

A Payload Designed for Credentials, Not Disruption

The payload does not ransom, deface, or destroy. It harvests. StepSecurity catalogs targets across GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, with exfiltration split across three independent channels: HTTPS, the GitHub API itself, and DNS tunneling. Three channels means at least one survives most corporate egress filtering.

On macOS, the malware installs a persistent Python backdoor that uses the GitHub Search API as a dead-drop for receiving further commands, signed with a 4096-bit RSA key according to StepSecurity. The dead-drop pattern is rare in open-source supply chain attacks because it requires the attacker to maintain operational discipline across months. TeamPCP built for that timeline from day one.

Two design choices stand out beyond the credential list. The payload skips execution on machines with fewer than four CPU cores and avoids Russian or CIS time zones, per Cybersecurity News, behavior consistent with anti-analysis tradecraft borrowed from commodity malware families rather than typical npm-ecosystem worms.

The quieter, more consequential capability is Sigstore abuse. StepSecurity reports the payload contains full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation. In plain terms, an attacker holding the stolen credentials of a real Nx maintainer could publish downstream npm packages with valid, cryptographically signed provenance attestations. The packages would not look fake to a verifier. They would look correct. That is the failure mode SLSA was built to prevent, and it suggests TeamPCP studied the defense before they wrote the offense.

The First Supply Chain Payload to Target Claude Code Credentials

One specific file path in the payload deserves separate attention. StepSecurity found the malware reading ~/.claude/settings.json, the local config for Anthropic's Claude Code assistant, which StepSecurity flags as possibly the first supply chain payload designed to harvest AI coding assistant credentials.

This matters because AI coding assistants now hold tokens with broad repository, terminal, and sometimes cloud-deployment scope on behalf of the developer. A stolen Claude Code token is not equivalent to a stolen GitHub PAT. It is equivalent to a stolen GitHub PAT plus whatever shell, MCP, and tool permissions the developer has granted to the agent. As model-driven developer tooling proliferates, those credential blobs become the highest-value items on a developer workstation. TeamPCP is the first crew documented hunting for them at scale. They will not be the last. Readers tracking this trajectory may want our running coverage in the AI Tools category and Privacy & Security category.

How TeamPCP Got the Keys to Publish

The extension was not breached through a marketplace vulnerability. It was breached through a human one. Infosecurity Magazine reports that Jeff Cross, CEO of Nx, confirmed the attacker obtained the GitHub credentials of a legitimate Nx developer through the earlier TanStack npm supply chain compromise, part of a broader campaign the industry has labeled "Mini Shai-Hulud."

Help Net Security describes Mini Shai-Hulud as TeamPCP's adaptation of a self-replicating worm first documented in 2025, designed to largely automate supply chain attacks by stealing CI/CD credentials and then using those credentials to publish infected versions of further packages. The Nx Console push is the visible payoff of that machinery. The Hacker News notes the same TanStack compromise also touched OpenAI, Mistral AI, and Grafana Labs, which makes the developer-workstation blast radius significantly larger than the Nx headline suggests.

Infosecurity Magazine reports the malicious Nx Console version was uploaded "without manual approval" from other Nx administrators, and Cross has since hardened the publishing pipeline to require two admins to manually approve any release. Two-person publish gates are now table stakes for any package with seven-figure install counts. Jeff Cross summed up the broader lesson when he told The Hacker News, "A lot of the assumptions the ecosystem has operated under for years no longer hold."

The Verified Publisher Badge Did the Attacker's Work

A verified publisher badge is meant to be a trust signal. In this incident, it was a weapon. Infosecurity Magazine confirms Nx Console carries a verified publisher badge on the Visual Studio Marketplace, and that badge lent false legitimacy to the malicious version during the minutes it was live.

Microsoft's marketplace verifies publisher identity, not the contents of any given build. That distinction is buried in marketplace documentation and lost on most users. When a developer sees a verified badge on a 2.2-million-install extension, they update. They do not diff the bundle. This is the second Nx incident in under a year. StepSecurity notes the August 2025 "s1ngularity" campaign hit Nx's npm packages directly, and the pattern of repeated targeting suggests TeamPCP, or its predecessor, treats Nx infrastructure as a known-good staging ground.

This is the supply chain attack developer tools category has been bracing for since the original Shai-Hulud worm. It is no longer theoretical. For context on adjacent attack surfaces against developer tooling, see our Developer Tools category coverage.

What Affected Developers Need to Do Now

Cybersecurity News lays out the remediation path. Anyone who installed or auto-updated Nx Console during the May 18 window should treat their workstation as compromised until proven otherwise.

• Update Nx Console to version 18.100.0 or later.
• Remove backdoor persistence artifacts, including any Python launchd or cron entries on macOS.
• Rotate every credential the payload targets: GitHub PATs, npm tokens, SSH keys, AWS keys, Vault tokens, Kubernetes kubeconfigs, 1Password session tokens, and any secrets stored in .env files.
• Audit GitHub audit logs for unfamiliar git clone activity and unusual GitHub Search API traffic from developer endpoints.
• For teams using Claude Code or similar AI coding assistants, revoke and reissue assistant credentials and review MCP server permissions.

The credential rotation is not optional. Three exfiltration channels means a workstation that ran the payload should be assumed to have leaked everything in scope, even if outbound HTTPS was filtered.

What to Watch Next

The near-term test is whether TeamPCP follows through on the threatened leak of the 3,800 internal repositories that Help Net Security says the group is currently shopping. A leak would let independent researchers verify GitHub's claim that no customer data was reachable from inside, and it would put a hard upper bound on how much GitHub's own tooling, secrets management, and internal CI exposure can be inferred by adversaries. The next confirmation point is whether Microsoft amends Visual Studio Marketplace policy to require multi-party publish approval for verified extensions above an install threshold. Until that policy ships, the 2.2-million-install line on Nx Console is the floor of the next incident, not the ceiling.