By GitHub confirmed this week that a threat actor called TeamPCP exfiltrated approximately 3,800 internal repositories — not by exploiting a GitHub vulnerability, but by poisoning a VS Code extension you have probably installed. Nx Console (nrwl.angular-console), a legitimate extension with 2.2 million installs, had a malicious version (18.95.0) pushed to the VS Code Marketplace on May 18. The community caught it in about 11 minutes. That was enough time.
How It Happened
The attack did not start with GitHub. It started with an Nx Console maintainer whose machine had been compromised in a prior incident, leaking their VS Code Marketplace publishing credentials. TeamPCP used those credentials to publish version 18.95.0 — a multi-stage credential stealer — as a legitimate extension update to all 2.2 million users.
The payload was thorough. It harvested GitHub session tokens, npm tokens, AWS access keys, SSH keys, Docker credentials, VPN configurations, and shell history. It also attempted to unlock and dump 1Password and Bitwarden vaults. If it landed inside an AWS environment, it spread laterally via SSM. Inside Kubernetes, it used kubectl exec to propagate further.
One GitHub employee had Nx Console installed. That was all TeamPCP needed. Using the harvested GitHub tokens, they exfiltrated roughly 3,800 internal repositories, including GitHub Actions internals, Copilot project code, CodeQL tools, Codespaces infrastructure, Dependabot internals, and internal security tooling. The stolen data was then listed on underground forums for $50,000–$95,000. GitHub says no customer repositories or enterprise accounts were accessed — the breach was contained to internal infrastructure.
The Trust Signal Is Now the Attack Surface
Here is what makes this uncomfortable: there was no obvious way to know Nx Console v18.95.0 was malicious. It came from a verified publisher with 2.2 million installs and an unblemished track record. That is exactly the profile attackers look for.
The VS Code Marketplace “verified publisher” badge means the publisher has proven domain ownership and the extension has been in good standing for six months. It does not mean Microsoft reviews code, audits publisher credentials, or monitors for malicious updates. Wiz Research has documented that over 100 valid VS Code Marketplace publishing tokens and 30+ Open VSX access tokens have been found leaked inside extension packages on disk — any one of which gives an attacker push access to every install of every extension that publisher owns.
VS Code extensions auto-update by default. Users never see a changelog, never approve the update, and have no way to sandbox what a new version does before it runs. The Nx Console community caught version 18.95.0 in 11 minutes — faster than Microsoft’s own detection systems. The official security advisory (GHSA-c9j4-9m59-847w) was published after community detection, not before.
What You Need to Do Right Now
If you use VS Code, these are not optional:
- Audit your extensions. Run
code --list-extensionsand remove anything you do not actively use. Every installed extension is an attack surface. - Check your Nx Console version. Run
code --list-extensions | grep nrwl. If you have it installed, make sure you are on version 18.96.0 or later (the patched release). Version 18.95.0 is the malicious one. - Disable automatic extension updates. Go to Settings → Extensions → Auto Update and set it to “None” or “Manual.” This removes the silent update vector entirely.
- Pin versions for team repos. If you maintain a
.vscode/extensions.jsonfor a team, lock extension versions explicitly so teammates are not exposed to silent updates. - Enterprise teams: implement extension allowlists. VS Code Enterprise Policy lets you restrict which extensions can be installed. If your team does not need an extension, block it.
This Is Not a One-Off
The Verizon 2026 Data Breach Investigations Report dropped the same week — and it directly contextualizes what just happened. For the first time in 19 years of the DBIR, software vulnerability exploitation (36%) overtook credential theft as the leading initial access method. Breaches involving third parties — including software supply chains — are up 60%, now accounting for 48% of all breaches. Median time-to-patch is 43 days, up 34% year over year.
The GitHub breach is not a random incident. It is the highest-profile instance of an attack pattern that has been accelerating throughout 2025 and 2026: compromise the developer tooling, ride the existing trust into the target. VS Code extensions, npm packages, GitHub Actions — they are all part of the same attack surface. The difference with the GitHub breach is that the victim is a company that builds the platform developers trust with their own code.
The Marketplace extension review model — scan at initial publish, badge for domain ownership, auto-update silently — was designed for an era when extension publishers were not high-value targets. That era is over. Until Microsoft implements code signing for extension updates, mandatory MFA for publishing tokens, and behavioral sandboxing of new versions, the responsibility sits with developers. Audit your extensions. Disable auto-update. Do it today.
