GitHub

On May 18, 2026, a threat actor known as TeamPCP published a trojanized version of the Nx Console VS Code extension to the Visual Studio Marketplace. The malicious version was live for 18 minutes—between 12:30 p.m. and 12:48 p.m. UTC—before being pulled. In that window, an employee at GitHub installed the update. By May 19, attackers had cloned approximately 3,800 of GitHub's internal repositories.

Proprietary source code from GitHub Actions, agentic workflows, and Copilot internal projects. CodeQL security tools. Deployment scripts and internal configuration files. Infrastructure code that runs the platform used by over 100 million developers worldwide.

Security researcher Rakesh Krishnan confirmed the leaked repositories span GitHub's core products and internal security tooling. TeamPCP listed the data for $50,000 on a criminal forum. Later, they partnered with LAPSUS$ for a joint $95,000 sale, stating: "Everything for the main platform is there."

GitHub says customer repositories and user data weren't accessed. The damage is different here: attackers now have the blueprints to the platform itself. Source code for Copilot reveals how AI suggestions are generated and filtered. CodeQL source exposes how GitHub finds vulnerabilities. Security tools show how GitHub detects threats.

For the 100 million developers who rely on GitHub, this is reconnaissance for future attacks. Every vulnerability in that source code is now in adversarial hands. Every security mechanism can be studied for bypass techniques.

Installing a popular VS Code extension with 2.2 million downloads. Nx Console is a legitimate developer tool maintained by the Nx team. The extension auto-updates, like every other extension in the marketplace. GitHub engineers use it because it improves their workflow.

The malicious version looked and behaved exactly like the real one. On startup, it silently ran a shell command disguised as a "routine MCP setup task." The payload harvested credentials from GitHub CLI, npm, AWS, 1Password, and Anthropic Claude Code configurations. By the time anyone noticed, the credentials were already exfiltrated.

GitHub's CISO, Alexis Wales, confirmed the breach came from a single compromised employee device. One set of stolen credentials provided access to 3,800 repositories. That's the access footprint of one engineer—and attackers knew exactly which repositories to target.

The root cause traces back further: a May 11 supply chain compromise of 42 TanStack npm packages. TeamPCP published 84 malicious versions that stole GitHub credentials from an Nx Console developer. That developer's credentials were then used to push the poisoned extension—without requiring approval from other Nx administrators.

GitHub detected the breach on May 19, began incident response, and rotated critical secrets the same day. By May 20, they had isolated affected endpoints, removed the malicious extension, and published a security advisory. The vulnerability was assigned CVE-2026-48027.

But the harder question remains: what else did those credentials access? TeamPCP previously breached the European Commission using a cloud key stolen from Trivy. They compromised OpenAI and Grafana Labs in the same TanStack campaign. When attackers chain supply chain compromises, the blast radius keeps expanding.