GitHub Confirms Source of Breach in 3,800 Repositories: Altered VS Code Extension was the Entry Vector

On the afternoon of Thursday, 21 May, GitHub publicly disclosed the root cause of one of the largest exposures of private code ever documented on a development platform. The Nx Console extension for Visual Studio Code, version 18.95.0 published on Microsoft’s official marketplace, was the vector that allowed the TeamPCP group to access and exfiltrate approximately 3,800 of GitHub's internal repositories. Grafana Labs and OpenAI confirmed exposures resulting from the same campaign.

The Nx Console has 2.2 million active installations. The window of compromise lasted less than twenty minutes, long enough for the malicious payload to collect CI/CD credentials, personal access tokens, and environment secrets from any instance that executed the automatic update of the extension during that period.

The Origin: TanStack and the Mini Shai-Hulud Worm

The attack began ten days earlier, on 11 May. The TeamPCP group executed a coordinated attack against the GitHub repository of TanStack, a JavaScript library used in corporate front-end development by tens of thousands of projects. In six minutes, 84 malicious artifacts were distributed across 42 packages in the @tanstack namespace on npm. The technique exploited a misconfiguration of OIDC trust scope in the TanStack GitHub Actions pipeline: the workflow authorised any branch of the repository, rather than just protected branches.

With the credentials of a legitimate TanStack developer obtained in this attack, TeamPCP accessed the Nx project repository on GitHub and published version 18.95.0 of the Nx Console directly on the VS Code Marketplace. The propagation was operated by the Mini Shai-Hulud worm, developed by the group to automate supply chain attacks: the worm steals CI/CD pipeline credentials and uses them to publish malicious versions of dependent packages, expanding the reach of the attack with each cycle.

The payload delivered by the extension functioned as a multi-stage credential stealer, exfiltrating data via HTTPS and the GitHub API. On macOS systems, the payload also installed a Python backdoor that used the GitHub Search API as a command and control channel.

Grafana Labs: An Incomplete Token Rotation

Grafana Labs confirmed, also on Thursday, that its exposure resulted from a GitHub environment access token not included in the credential rotation process initiated after the TanStack attack was detected. With this token, TeamPCP accessed the company’s private repositories and downloaded source code. Grafana stated that end user data was not compromised.

OpenAI had previously confirmed that two corporate devices were compromised during the TanStack attack on 11 May, with credential exfiltration and access to a limited subset of internal repositories. The company stated that it found no evidence of access to user data or production systems.

The pattern connecting the three cases is the same: manually executed credential rotation, without an automated inventory of all active integrations, creates exceptions that sophisticated attackers identify and exploit. Organisations with dozens of third-party integrations connected to GitHub have, on average, more than 400 active tokens according to industry research, making manual rotation systematically incomplete.

What Security Teams Need to Do Now

For organisations using VS Code in development pipelines, the immediate priority is to audit which extensions have access to environment variables and repository credentials. Version 18.95.0 of the Nx Console should be considered compromised; earlier and later versions have not been altered, according to the Nx project team.

GitHub advised that any organisation that installed the extension during the exposure window rotate all personal access tokens, deployment keys, and GitHub Actions credentials immediately. The risk is equivalent on GitHub Enterprise Server and the cloud version.

TeamPCP publicly claimed responsibility for the attack and announced that the data obtained is available for purchase on criminal forums. Consulting firms providing development services with access to client repositories should verify whether any shared credentials were active during the period of compromise.

The incident exposes a formal gap in the IDE extension distribution model: Microsoft’s marketplace hosts over 60,000 extensions without a mandatory integrity verification mechanism. A compromise window of less than twenty minutes in an extension with millions of users is sufficient to impact critical infrastructure on a global scale. Adoption of provenance standards equivalent to SLSA for IDE extensions is not yet required by any widely adopted security framework, leaving this attack surface formally uncontrolled.