TanStack → Nx Console → GitHub: How One Poisoned VS Code Extension Breached GitHub, OpenAI, and Mistral AI in 18 Minutes
TeamPCP published a poisoned Nx Console VS Code extension for 18 minutes on May 18, 2026. In that window, VS Code auto-updated 2.2 million installs. One was a GitHub employee — giving TeamPCP access to 3,800 internal GitHub repositories. OpenAI, Mistral AI, and Grafana Labs were simultaneously hit via the same TanStack npm supply chain cascade. This is the Mini Shai-Hulud campaign operating at SolarWinds scale.