TanStack → Nx Console → GitHub: How One Poisoned VS Code Extension Breached GitHub, OpenAI, and Mistral AI in 18 Minutes
Sources: GitHub CISO Alexis Wales · The Hacker News · BleepingComputer · Help Net Security · Infosecurity Magazine · Security Boulevard · TechTimes · Rescana | CVEs: CVE-2026-45321 (TanStack, CVSS 9.6) · CVE-2026-48027 (Nx Console) | Threat actor: TeamPCP (UNC6780) | Campaign: Mini Shai-Hulud | Update: CISA issued a formal advisory on May 28 — see Article #18 for the full CISA guidance
How one poisoned VS Code extension breached GitHub, OpenAI, and Mistral AI in 18 minutes
At 12:30 UTC on May 18, 2026, a malicious version of the Nx Console Visual Studio Code extension — a popular developer tool with 2.2 million installs — appeared on Microsoft’s official Visual Studio Marketplace. For the next 18 minutes, anyone who had the extension installed received an automatic silent update that harvested credentials from their development machine. By 12:48 UTC, the malicious version was removed. By May 20, GitHub CISO Alexis Wales had confirmed approximately 3,800 internal GitHub repositories were exfiltrated. OpenAI confirmed two employee devices were compromised. Mistral AI confirmed their SDKs were trojaned. Grafana Labs confirmed repository access via a missed GitHub token.
This is the same Mini Shai-Hulud campaign DataWater first documented on April 30 in our PyTorch Lightning supply chain attack brief — the same threat actor (TeamPCP / UNC6780), now operating at SolarWinds scale. CISA formally confirmed this on May 28 with an advisory that also documented a parallel campaign called Megalodon targeting GitHub Actions workflows — see our full CISA advisory coverage for the expanded guidance and forensic checklist. The Verizon DBIR 2026, published five days after this breach, confirmed supply chain attacks doubled year-over-year to 30% of all confirmed breaches — this incident is the largest confirmed example of that trend in 2026.
| Field | Detail |
|---|---|
| Campaign name | Mini Shai-Hulud (TeamPCP) |
| Threat actor | TeamPCP — Google TIG: UNC6780 |
| CVE (TanStack) | CVE-2026-45321 — CVSS 9.6 Critical |
| CVE (Nx Console breach) | CVE-2026-48027 |
| CISA KEV deadline | June 10, 2026 |
| Attack start | May 11, 2026 — TanStack npm compromise |
| Nx Console malicious version | 18.95.0 — live May 18, 12:30–12:48 UTC (18 minutes) |
| Extension install base | 2.2 million installs |
| GitHub repositories exfiltrated | ~3,800 internal repositories |
| Credentials targeted | GitHub tokens · npm tokens · AWS keys · 1Password vaults · Claude Code configs · CI/CD secrets |
| Confirmed victims | GitHub · OpenAI · Mistral AI · Grafana Labs · UiPath · Guardrails AI · OpenSearch · 160+ npm/PyPI packages |
| macOS persistence | Yes — LaunchAgent backdoor survives extension removal |
| Safe Nx Console version | v18.100.0 and later |
The full attack chain: TanStack to GitHub’s internal codebase
Stage 1 — TanStack GitHub Actions cache poisoning (May 11)
TeamPCP exploited a pull_request_target workflow misconfiguration at TanStack — a common GitHub Actions security gap that grants elevated permissions to pull requests from external forks. Through GitHub Actions cache poisoning, they injected a malicious pnpm store into TanStack’s shared workflow cache, then used the resulting CI/CD credentials to publish 84 malicious versions across 42 @tanstack npm packages simultaneously. The credential-harvesting payload embedded in those packages behaved like a worm — using stolen npm tokens to propagate to downstream packages in @mistralai, @uipath, @squawk, and guardrails-ai namespaces.
Stage 2 — Developer device compromise and Nx Console publisher access (May 11–18)
Among the developer machines that installed compromised TanStack packages was an employee at Narwhal Technologies — the company behind Nx Console. That developer’s GitHub token had publisher access to the Nx Console VS Code extension. TeamPCP extracted this token and used it to push a malicious orphan commit and stage the publication of Nx Console v18.95.0. Infosecurity Magazine confirmed the upload was performed “without manual approval” from other Nx administrators — the VS Code Marketplace had no review gate between publisher submission and global distribution.
Stage 3 — The 18-minute Marketplace window (May 18, 12:30–12:48 UTC)
At 12:30 UTC, Nx Console v18.95.0 appeared on the Visual Studio Marketplace under the verified nrwl.angular-console publisher badge. VS Code’s auto-update mechanism immediately distributed it to machines with Nx Console installed and VS Code running. The payload targeted: 1Password vaults, Claude Code API keys, npm tokens, GitHub credentials, AWS credentials, CI/CD secrets, and SSH keys. On macOS, it established a persistent LaunchAgent backdoor that survives extension removal. At 12:48 UTC the extension was removed — 18 minutes was all it needed.
Stage 4 — GitHub internal repository exfiltration
Using credentials from the compromised GitHub employee’s machine, TeamPCP exfiltrated approximately 3,800 private GitHub repositories. GitHub CISO Alexis Wales stated the activity involved GitHub-internal repositories with no evidence of impact to customer repositories at that point. CVE-2026-48027 was assigned and added to CISA’s KEV catalog on May 27 — see our CISA advisory article for the full expanded guidance including the Megalodon GitHub Actions campaign.
TeamPCP: seven attack waves in 2026 — the Mini Shai-Hulud origin story
This is not TeamPCP’s first campaign in 2026. DataWater has tracked the Mini Shai-Hulud campaign since its first confirmed wave. The full timeline:
- March 2026 — Trivy, Checkmarx KICS Docker images
- April 2026 — LiteLLM, Telnyx, Bitwarden CLI
- April 30, 2026 — PyTorch Lightning — DataWater Article #1; the campaign’s first strike
- May 11–14, 2026 — TanStack npm ecosystem — 84 malicious package versions, 160+ downstream packages
- May 18, 2026 — Nx Console VS Code extension — this article
- May 18–28, 2026 — Megalodon GitHub Actions campaign + TeamPCP open-sources attack framework — see CISA advisory coverage
The systemic problem: VS Code auto-update is a supply chain attack surface
VS Code’s auto-update is designed for security — ensuring developers always have the latest extension versions. But it creates an architectural condition that TeamPCP exploited with precision: any attacker who controls a VS Code extension publisher account has a direct, zero-review push channel into every machine running that extension globally. The Marketplace had no pre-publication security scanning, no multi-party approval requirement, and no update delay between submission and distribution. This is not a VS Code-specific problem — it exists in browser extension stores, IDE plugin repositories, and package managers broadly. But VS Code’s adoption in enterprise development environments — particularly among teams working on AI infrastructure, security tooling, and critical open-source projects — makes the Marketplace a uniquely high-value target.
Immediate remediation
- Update Nx Console to v18.100.0 or later immediately. VS Code → Extensions → search “Nx Console” → Update.
- Rotate all credentials on any machine where Nx Console 18.95.0 may have run — GitHub tokens, npm tokens, AWS keys, 1Password vault, Claude Code API keys, SSH private keys.
- Check for macOS persistence. Inspect
~/Library/LaunchAgents/,/Library/LaunchAgents/, and/Library/LaunchDaemons/for entries created around May 18, 2026. - Disable VS Code auto-update for extensions as interim policy: set
extensions.autoUpdate: false. - Audit CI/CD pipeline secrets in any pipeline that runs npm install with @tanstack or @mistralai packages.
- For the full CISA forensic audit checklist including Megalodon GitHub Actions checks, see our May 29 CISA advisory article.
Related DataWater coverage
- 🔴 CISA Advisory: Nx Console / GitHub Supply Chain (May 29) — full CISA guidance, Megalodon campaign documented, forensic audit checklist, June 10 federal deadline. Read this next.
- 🔴 PyTorch Lightning: Mini Shai-Hulud’s First Strike (Apr 30) — the origin story of the same TeamPCP campaign that led here.
- 🔴 BufferZoneCorp: Poisoned Ruby Gems & Go Modules — parallel 2026 supply chain campaign targeting CI/CD pipelines.
- 📊 Verizon DBIR 2026 — supply chain attacks doubled to 30% of all breaches. The macro context.
- 🔴 CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — CISA KEV, two attack waves, June 19 deadline. Active now.
- 🔴 CVE-2026-34926: Trend Micro Apex One Zero-Day — endpoint security platform weaponized as malware delivery system. June 4 deadline.
- 🔴 MiniPlasma: Windows SYSTEM Zero-Day — credential theft from a compromised developer machine feeds directly into LPE attacks on those machines.
Sources and further reading
- The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
- BleepingComputer — GitHub Links Repo Breach to TanStack npm Supply Chain Attack
- Help Net Security — GitHub, Grafana Labs Breaches Traced to TanStack Supply Chain Compromise
- Rescana — TanStack npm Supply Chain Attack: Detailed Technical Analysis
- CISA — Official Advisory: Supply Chain Compromises Impact Nx Console and GitHub Repositories
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #15 — May 21, 2026. Browse the full threat brief series. Next: CISA Advisory (supersedes this article) · Previous: CVE-2026-42897 Exchange OWA (May 19) · MiniPlasma Windows Zero-Day (May 19).
