TL;DR

On 2026-05-20, GitHub confirmed that attackers exfiltrated ~3,800 of its own internal repositories after a GitHub employee installed a poisoned VS Code extension on their device. As of 2026-05-21 GitHub and researchers have named the extension: the trojanized Nx Console build (nrwl.angular-console v18.95.0) — see the dedicated Nx Console compromise advisory — and linked the breach to the TanStack / Mini Shai-Hulud wave, which leaked the Nx contributor token used to publish it. The actor is TeamPCP (aka PCPcat / DeadCatx3 / UNC6780) — the same group behind the Mini Shai-Hulud npm/PyPI worm — who listed the stolen source for sale at $50,000 and threatened to leak it free if no buyer appeared. GitHub says it removed the malicious extension version, isolated the endpoint, and found no evidence that customer data stored outside its internal repos was affected (investigation ongoing). The takeaway for vibe coders: your IDE extension marketplace is an unaudited supply-chain surface sitting directly on top of every credential your editor can reach.

What happened

GitHub launched an investigation after TeamPCP publicly claimed it had breached GitHub's private codebase. GitHub's findings: the attacker compromised a GitHub employee's device through a malicious version of a Visual Studio Code extension, then used that foothold to access and exfiltrate GitHub-internal repositories. The attacker's claim of ~3,800 repositories is, per GitHub, "directionally consistent" with the investigation so far.

This is the latest escalation in the TeamPCP campaign that has run all year — the group has previously trojanized Aqua's Trivy scanner, Checkmarx KICS, LiteLLM, the Telnyx SDK, TanStack, MistralAI, and most recently Microsoft's durabletask PyPI SDK and the @antv npm ecosystem. The through-line: TeamPCP keeps weaponizing developer trust surfaces — package registries, CI tokens, and now IDE extensions — to reach source code and credentials.

GitHub's response so far: removed the malicious extension version, isolated the compromised endpoint, and began incident response. The company stated it has no evidence customer information outside GitHub-internal repos was impacted, with the caveat that the investigation is ongoing.

Update 2026-05-21 — extension named. The malicious extension is now confirmed to be the trojanized Nx Console build nrwl.angular-console@18.95.0, published 2026-05-18 (live ~11–18 min) using an Nx contributor's GitHub token that had leaked in the TanStack / Mini Shai-Hulud wave. The GitHub employee who installed it became TeamPCP's foothold. Full payload/IOC analysis lives in the Nx Console compromise advisory. Other orgs caught in the same credential-leak fallout reportedly include OpenAI, Mistral AI, and Grafana Labs.

Am I affected?

This is a breach of GitHub's own internal repos, not a directly distributed payload — so most readers are not directly compromised. The actionable risk is the attack pattern: a poisoned IDE extension on a developer machine.

# List installed VS Code / Cursor / Windsurf extensions and their versions
code --list-extensions --show-versions 2>/dev/null
cursor --list-extensions --show-versions 2>/dev/null

# Review what auto-updated recently (extensions auto-update silently by default)
ls -lat ~/.vscode/extensions/ 2>/dev/null | head
ls -lat ~/.cursor/extensions/ 2>/dev/null | head

Things to check: - Disable automatic extension updates for high-privilege editors (extensions.autoUpdate: false) so a compromised maintainer can't silently push a trojanized version to you. - Audit extensions that request broad capabilities (terminal, file-system, network, secret access). - Treat any extension that runs on folderOpen / startup as you would a postinstall script.

IOCs

Type Value
Threat actor TeamPCP (aka PCPcat, DeadCatx3, UNC6780)
Initial access vector Poisoned VS Code extension on employee device
Malicious extension name nrwl.angular-console (Nx Console) v18.95.0 — see advisory
Root cause Nx contributor GitHub token leaked in TanStack / Mini Shai-Hulud wave
Impact ~3,800 GitHub-internal repositories exfiltrated
Extortion Source listed for sale at $50,000; leak threat if unsold

If you are affected

playbooks/if-an-mcp-server-was-malicious.md — closest analogue for "a tool inside my editor was hostile"; same rotation logic applies. → playbooks/if-your-github-pat-leaked.mdplaybooks/rotating-cloud-credentials.md

Prevention

prevention/agent-sandboxing.mdprevention/credential-hygiene.md → Pin and review IDE extensions like any other dependency. Disable silent auto-update for editors that hold cloud/GitHub credentials. Prefer first-party / verified-publisher extensions, and watch for sudden ownership or maintainer changes — the same trust-transfer pattern that drove the Amazon Q wiper and the postmark-mcp backdoor.

Sources