TanStack → Nx Console → GitHub: How One Poisoned VS Code Extension Breached GitHub, OpenAI, and Mistral AI in 18 Minutes

Sources: GitHub CISO Alexis Wales (official statement) · The Hacker News · BleepingComputer · Help Net Security · Infosecurity Magazine · Notebookcheck · Security Boulevard · TechTimes · Rescana | CVEs: CVE-2026-45321 (TanStack, CVSS 9.6) · CVE-2026-48027 (Nx Console breach) | Threat actor: TeamPCP (UNC6780) | Campaign: Mini Shai-Hulud | Confirmed victims: GitHub · OpenAI · Mistral AI · Grafana Labs · UiPath · Guardrails AI · OpenSearch

How one poisoned VS Code extension breached GitHub, OpenAI, and Mistral AI in 18 minutes

At 12:30 UTC on May 18, 2026, a malicious version of the Nx Console Visual Studio Code extension — a popular developer tool with 2.2 million installs for working with Nx monorepo build systems — appeared on Microsoft’s official Visual Studio Marketplace. For the next 18 minutes, anyone who had the extension installed received an automatic update that silently harvested credentials from their development machine and shipped them to TeamPCP, a cybercrime group that has been conducting some of the most sophisticated supply chain attacks in 2026. By 12:48 UTC, the malicious version was removed. The damage was done.

Today, GitHub CISO Alexis Wales confirmed that approximately 3,800 internal GitHub repositories were exfiltrated as a direct result of that 18-minute window. OpenAI confirmed two employee devices were compromised. Mistral AI confirmed their npm and PyPI SDKs were trojaned, with TeamPCP advertising Mistral source code for sale on cybercrime forums. Grafana Labs confirmed a missed GitHub workflow token gave attackers access to their repositories. And this is not the end of the victim list — it is the confirmed beginning. UiPath, Guardrails AI, and OpenSearch have all been identified as additional victims of the same cascading campaign.

This is the TanStack supply chain cascade — a single coordinated attack that began on May 11, 2026 and has now compromised some of the most consequential software infrastructure organizations on the planet.

The full attack chain: how TanStack became a weapon against GitHub

Understanding how a single npm package compromise cascaded into a breach of GitHub’s internal repositories requires tracing the full chain. Every step is documented by Rescana, Security Boulevard, and The Hacker News based on GitHub’s own incident disclosure. Here is the complete sequence:

Stage 1 — GitHub Actions exploitation at TanStack (May 11)

TeamPCP began by targeting TanStack — a widely used collection of open-source developer tools for React applications, used by hundreds of thousands of developers for routing, state management, and data fetching. The attack exploited a three-vulnerability chain in TanStack’s GitHub Actions CI/CD workflows:

• An attacker forked the TanStack/router repository and submitted a malicious pull request that exploited the pull_request_target workflow — a GitHub Actions configuration that runs workflows with elevated repository permissions even on pull requests from forks. This is a well-documented but frequently misconfigured GitHub Actions security issue.
• Through GitHub Actions cache poisoning, the attacker injected a malicious pnpm store into the shared workflow cache. When a legitimate TanStack maintainer’s workflow later ran and restored the cache, it loaded the attacker’s poisoned dependencies — without any alert or indication of compromise.
• The poisoned cache gave TeamPCP the CI/CD publishing credentials needed to push malicious versions to npm. They published 84 malicious versions across 42 @tanstack npm packages in a single coordinated push — compromising TanStack’s entire router ecosystem simultaneously.

Stage 2 — Worm-like propagation to 160+ packages

Once inside the TanStack publishing pipeline, the malicious payload behaved like a worm. It harvested the CI/CD credentials of other projects that had @tanstack packages as dependencies and used those credentials to publish malicious versions of those downstream packages too. Within hours of the TanStack compromise, infected packages appeared in the @mistralai, @uipath, @squawk (aviation data), and guardrails-ai namespaces — none of which were direct targets. They were victims of the cascade. By the time the campaign was detected, more than 160 npm packages and two PyPI packages had been infected across multiple organizations.

Stage 3 — Developer device compromise and Nx Console publisher access

The malicious TanStack packages carried a credential-harvesting payload identical to the Mini Shai-Hulud worm described in our April 30 coverage of the PyTorch Lightning attack. When developers installed or updated affected packages — including on developer workstations where the packages are pulled during npm install — the payload executed and harvested local credentials. One of the compromised developers was an employee at Narwhal Technologies, the company behind the Nx build system and the Nx Console VS Code extension. That developer’s GitHub token had publisher access to the Nx Console extension on the Visual Studio Marketplace.

Infosecurity Magazine confirmed the critical detail: the upload of the malicious Nx Console version was performed “without manual approval” from other Nx administrators. The VS Code Marketplace had no review gate between a publisher submitting an update and that update being distributed to 2.2 million installed instances.

Stage 4 — The 18-minute VS Code extension window

At 12:30 UTC on May 18, 2026, TeamPCP used the stolen Nx developer credentials to publish Nx Console version 18.95.0 to the Visual Studio Marketplace. VS Code’s auto-update behavior — which silently updates extensions without user confirmation or review — immediately began distributing the malicious version to every machine with Nx Console installed and VS Code running.

The malicious extension carried a credential stealer that specifically targeted:

• 1Password vaults — swept for any secrets stored in the developer’s 1Password installation
• Anthropic Claude Code configurations — harvested API keys and project configurations from Claude Code’s settings directory
• npm tokens — from .npmrc and environment variables, enabling further package publishing attacks
• GitHub credentials — personal access tokens, GitHub CLI authentication, and SSH keys
• AWS credentials — from ~/.aws/credentials and environment variables
• CI/CD secrets — any secrets accessible in the current environment
• macOS persistence — the payload established persistent access on macOS developer machines, surviving extension removal

At 12:48 UTC — 18 minutes after publication — the malicious version was removed from the Marketplace. But auto-update had already distributed it to thousands of developer machines. Among those developers: at least one GitHub employee whose credentials gave TeamPCP access to GitHub’s internal repository infrastructure.

Stage 5 — GitHub internal repository exfiltration

Using credentials harvested from the compromised GitHub employee’s machine, TeamPCP accessed GitHub’s internal infrastructure and exfiltrated approximately 3,800 private repositories. GitHub CISO Alexis Wales stated: “We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customers’ own enterprises, organizations, and repositories. Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.”

GitHub has rotated critical internal secrets, isolated the compromised endpoint, and removed version 18.95.0 from the Marketplace. A fuller incident report is forthcoming. CVE-2026-48027 has been assigned to track the breach.

The other confirmed victims

OpenAI

OpenAI confirmed two employee devices were compromised through the TanStack campaign, with limited credential material exfiltrated from a subset of internal source code repositories. OpenAI has engaged a third-party digital forensics and incident response firm and is revoking its macOS app signing certificate in full on June 12, 2026 — a significant response that indicates the depth of concern about what credentials may have been on the affected machines.

Mistral AI

Mistral AI confirmed that their npm and PyPI SDKs were trojaned as part of the same campaign, with TeamPCP advertising Mistral AI code repositories for sale on a cybercrime forum. Mistral confirmed attackers temporarily accessed certain non-core code repositories on May 12. Any developer who installed Mistral AI SDK packages between May 11 and May 14, 2026 should treat their development environment as potentially compromised.

Grafana Labs

Grafana Labs detected the TanStack-origin activity on May 11, 2026, performed analysis, and quickly rotated a significant number of GitHub workflow tokens. However, a missed token gave attackers access to their GitHub repositories. Grafana confirmed no evidence of customer production systems or operations being compromised. Grafana appears to have been targeted by Coinbase Cartel — a cybercrime group linked to ShinyHunters, Scattered Spider, and Lapsus$ — operating in coordination with or parallel to the TeamPCP campaign.

TeamPCP: the most prolific supply chain threat actor of 2026

Google Threat Intelligence Group formally tracks TeamPCP as UNC6780 — a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro has documented at least seven confirmed attack waves since March 2026: Trivy in March, then Checkmarx KICS Docker images, LiteLLM, Telnyx, Bitwarden CLI, TanStack, and Mistral AI. DataWater covered the PyTorch Lightning attack (part of the same Mini Shai-Hulud campaign) on April 30 — that incident was identified as the first known confirmed exploitation. This is the same group, the same campaign, now at a dramatically larger scale.

What is consistent across all TeamPCP/Mini Shai-Hulud attack waves is that technical sophistication is not the primary weapon — trust is. A verified publisher badge, a high install count, and distribution through an official marketplace mean that developers install the extension without hesitation and that no one thinks to check. Each compromise in the chain provides credentials that enable the next. The attack never needs to breach a perimeter. It enters through packages and extensions that developers routinely install, then harvests the credentials those developers use to access everything else.

Security Boulevard captured the cascading architecture precisely: TeamPCP has constructed a self-sustaining supply chain attack chain that has compromised TanStack, LiteLLM, OpenAI, Mistral AI, Grafana Labs, the Nx Console extension, and GitHub’s internal repositories in a cascading sequence. The 18-minute window that enabled the GitHub breach illustrates how auto-update distribution in VS Code and similar editors gives any attacker who controls a publisher account a direct push channel into every machine running that extension globally, with no review gate between publication and installation.

Am I affected? How to check

You are directly exposed if any of the following apply to your environment:

• Nx Console was installed and VS Code was running on May 18, 2026 between 12:30–12:48 UTC — you may have received version 18.95.0 via auto-update
• You installed or updated any @tanstack npm package between May 11–14, 2026
• You installed or updated any @mistralai SDK package between May 11–14, 2026
• You installed or updated any @uipath npm package in the same window
• Your CI/CD pipeline runs npm install with any of the above packages and has access to secrets

Check your installed Nx Console version:

# Check current Nx Console version in VS Code
# Open Extensions panel → search "Nx Console" → check version
# Version 18.95.0 = compromised. Safe: 18.100.0 or later

# Check npm package install history for affected packages
npm ls @tanstack/router @tanstack/react-query @mistralai/mistralai 2>/dev/null

# Check VS Code extension version via CLI
code --list-extensions --show-versions | grep -i nx

Immediate remediation steps

1. Update Nx Console immediately to v18.100.0 or later. Open VS Code Extensions → search “Nx Console” → Update. Verify the version shown is 18.100.0+. Do not continue using v18.95.0 under any circumstances.
2. Rotate all credentials on any machine where Nx Console 18.95.0 may have run. This means: GitHub personal access tokens, GitHub CLI auth, npm tokens, AWS access keys, 1Password vault access (consider revoking and re-issuing the vault key), and any Claude Code API keys or project secrets. The payload specifically targeted all of these.
3. Check for macOS persistence. The payload installs a persistent backdoor on macOS. On affected Mac machines, check for unexpected launch agents and daemons: review ~/Library/LaunchAgents/, /Library/LaunchAgents/, and /Library/LaunchDaemons/ for any entries created around May 18, 2026.
4. Audit CI/CD pipeline secrets. Any pipeline that runs npm install with @tanstack, @mistralai, or @uipath packages should be treated as potentially compromised. Rotate all CI/CD secrets — GitHub Actions secrets, environment variables, and repository-level access tokens.
5. Check your npm and PyPI published packages. If any CI/CD credential on an affected machine had npm publish access, check your packages for unexpected version bumps, modified package.json scripts sections, or new files. The Mini Shai-Hulud worm self-propagates through stolen npm tokens.
6. Review GitHub audit logs for unexpected repository access, cloning of large numbers of repos, or access from unfamiliar IP addresses. GitHub provides Organization-level audit logs at github.com/organizations/[org]/settings/audit-log.
7. If you use Mistral AI SDKs in production, verify your SDK versions and check whether your installed versions fall in the compromised range. Rotate any Mistral API keys that were present on developer machines or in CI/CD environments that had the affected packages installed.
8. Disable VS Code auto-update for extensions as an interim policy while this campaign is active. In VS Code settings, set extensions.autoUpdate to false and extensions.autoCheckUpdates to false. Review extension updates manually before applying.

The systemic problem: VS Code’s auto-update is a supply chain attack surface

The 18-minute exploitation window that breached GitHub, OpenAI, and Mistral AI highlights a structural vulnerability in how modern development tooling distributes updates. VS Code’s auto-update mechanism is designed for security — it ensures developers always have the latest, most secure version of extensions. But it creates an architectural condition that TeamPCP exploited with precision: any attacker who controls a VS Code extension publisher account has a direct, zero-review push channel into every machine running that extension globally.

The Visual Studio Marketplace does not perform pre-publication security scanning on extension updates. It does not require multi-party approval for publishing. It does not have a review delay between submission and distribution. The moment a publisher submits an update, it is available for auto-update distribution to millions of machines. This is not a VS Code-specific problem — the same architecture exists in browser extension stores, IDE plugin repositories, and package manager ecosystems broadly. But the scale of VS Code’s adoption in enterprise development environments — particularly among the kinds of developers who work on AI infrastructure, security tooling, and critical open-source projects — makes the Marketplace a high-value target for exactly this kind of attack.

The TeamPCP playbook is now well-documented: gain access to a single publisher account, push a malicious update during off-peak hours, harvest credentials from the auto-updated machines, use those credentials to access the next layer of infrastructure, and propagate. The 18-minute window was not a failure — it was the plan. The attacker needed only minutes because auto-update did the distribution instantly and silently.

Sources and further reading

• The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
• BleepingComputer — GitHub Links Repo Breach to TanStack npm Supply Chain Attack
• Help Net Security — GitHub, Grafana Labs Breaches Traced Back to TanStack Supply Chain Compromise
• Infosecurity Magazine — GitHub Breach Traced to Malicious Nx Console VS Code Extension
• Security Boulevard — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
• The Hacker News — Grafana GitHub Breach Exposes Source Code via TanStack npm Attack
• Rescana — TanStack npm Supply Chain Attack: Detailed Technical Analysis
• Notebookcheck — VS Code Supply Chain Attack Hits GitHub, OpenAI, and Mistral AI

DataWater publishes a daily cybersecurity threat brief. Article #15 — May 21, 2026. See also: CVE-2026-42897 Microsoft Exchange zero-day (May 19) · MiniPlasma Windows zero-day (May 19) · Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16) · NGINX Rift CVE-2026-42945 (May 14). Note: This attack is the same Mini Shai-Hulud campaign we first covered with the PyTorch Lightning attack on April 30 — this is the same threat actor, now operating at vastly larger scale.