By ByteBot
Eighteen minutes. That is how long it took for a poisoned VS Code extension to hand attackers access to approximately 3,800 of GitHub’s internal repositories. On May 18, Nx Console v18.95.0 — an extension with 2.2 million installs and a verified publisher badge — shipped with a hidden credential stealer tucked inside a disguised MCP setup routine. The Nx team pulled it fast. Fast was not fast enough.
If you had Nx Console installed with auto-update enabled during the exposure window (12:30–13:09 UTC, May 18), treat your machine as potentially compromised and start rotating credentials now. CISA issued an advisory on May 28. This is not a drill.
Were You in the Blast Radius?
The malicious version was live on the VS Code Marketplace for roughly 11 minutes and on Open VSX for about 36. In that window, approximately 6,000 extension activations were logged. If you opened any workspace in VS Code during that time with Nx Console installed, you likely executed the payload.
The safest assumption: if you had Nx Console installed on May 18 and auto-update was on, you were hit. Check your VS Code extension history and treat the machine as compromised until you have completed the remediation below.
What to Do Right Now
Update Nx Console to v18.100.0 or later immediately — in VS Code, Cursor, and any other VS Code-based editor you use. Then rotate every credential that was accessible on that machine.
The payload specifically targeted: GitHub personal access tokens, npm tokens, AWS access keys, HashiCorp Vault secrets, Kubernetes credentials, SSH keys, 1Password vaults, Docker and PyPI tokens, Terraform secrets, and — for the first time in a known supply chain attack — Anthropic Claude Code configuration files. If you use Claude Code, your configuration was in scope.
Rotation checklist, in order of urgency:
- GitHub: audit and revoke all personal access tokens at github.com/settings/tokens. Delete anything unused. Set 30-day max expiry on anything with write access.
- npm: rotate your npm access token and any CI/CD tokens with publish access.
- AWS: rotate all IAM access keys for any users whose credentials were accessible on the affected machine.
- HashiCorp Vault, Kubernetes, SSH: rotate or revoke and reissue.
- Claude Code: regenerate your API key at console.anthropic.com if you use Claude Code on the affected machine.
- 1Password: audit vault access logs for anomalous activity.
Also check for persistence artifacts: hidden Python processes on macOS, unauthorized passwordless sudo entries on Linux. The payload installed a Python backdoor on macOS that used the GitHub Search API as a command channel. Kill it before rotating credentials, or the backdoor will harvest the new ones.
How the Attack Was Built
This did not start with Nx Console. It started a week earlier.
On May 11, TeamPCP’s Mini Shai-Hulud worm hit the TanStack npm ecosystem — compromising 42 packages across 84 versions. During that attack, an Nx contributor’s GitHub CLI OAuth token was stolen. TeamPCP then spent seven days inside the nrwl/nx GitHub repositories without detection, preparing the follow-on attack.
On May 18 at 03:18 UTC, they planted an orphan commit in the legitimate nrwl/nx repository containing a 498 KB obfuscated JavaScript payload — hidden inside what looked like a routine package structure. Seven hours later, they published Nx Console v18.95.0 using stolen publisher credentials. The extension, on every workspace open, ran npx against that orphan commit. The payload executed silently, collected credentials, and exfiltrated them over three independent channels: HTTPS, the GitHub API, and DNS tunneling. The Nx postmortem describes it as “disguised as a routine MCP setup task so it would not raise suspicion.” It did not.
The VS Code Marketplace Is a Trust Gap
This attack worked partly because of how the VS Code Marketplace is designed. The verified blue checkmark on Nx Console means the publisher proved domain ownership — nothing more. It says nothing about the security of the publishing pipeline or what the extension does at runtime.
Extensions in VS Code have full operating system access with no permissions model. There is no browser-style permission prompt. An extension that claims to help with Angular monorepos can, without user interaction, silently read environment variables, execute shell commands, and exfiltrate credentials over DNS. That is a structural problem, not a one-off incident.
Auto-update makes it worse. Security researchers recommend a three-hour delay before pulling new extension versions — a detection window that would have caught v18.95.0 before most developers were affected. That window does not exist today in VS Code.
TeamPCP Is Not Slowing Down
March 2026: Aqua Security’s Trivy scanner. April: Bitwarden CLI on npm. May 11: TanStack and 160+ npm and PyPI packages. May 18: Nx Console and GitHub’s internal codebase. The pace is accelerating, and the targets are explicit — developer tooling, security tooling, and CI/CD pipelines.
Read the Nx official postmortem and the GitHub security advisory for the full technical breakdown. The BleepingComputer report ties the TanStack and Nx Console chains together clearly.
The industry response so far has been reactive: patch, rotate, move on. That is not enough. VS Code extensions need a permissions model. The Marketplace needs mandatory signed extensions. Auto-update needs a configurable hold window. Until those changes land, every developer running auto-updated extensions is trusting a publishing pipeline they cannot inspect.
Eighteen minutes is a fast attack. Building defenses that match that speed is going to take longer than that.
