On May 20, 2026, GitHub confirmed what security researchers had warned about for years: a single poisoned VS Code extension, live for just 18 minutes, was enough to breach 3,800 internal code repositories at the world’s largest software development platform. The attacker, a hacking group known as TeamPCP and tracked by Google Threat Intelligence as UNC6780, did not exploit a GitHub server vulnerability or crack a password. They compromised a single developer’s machine, harvested credentials automatically, and used those credentials to clone nearly 4,000 internal repositories before GitHub could respond. The breach, first detected on May 19 and confirmed publicly on May 20, 2026, is the most significant supply chain security incident involving developer tooling since the SolarWinds compromise in 2020.
GitHub serves more than 180 million developers across over 4 million organizations. Ninety percent of Fortune 100 companies depend on the platform. The implications of internal repositories containing infrastructure configurations, deployment scripts, staging credentials, and internal API schemas falling into the hands of a financially motivated threat actor extend well beyond GitHub itself. This is an infrastructure intelligence leak at scale, and the attack vector, a trusted VS Code extension with an auto-update mechanism, remains active across the entire developer tooling ecosystem.
GitHub Confirms 3,800 Internal Repositories Stolen
GitHub detected unauthorized access to its internal repositories on May 19, 2026. The company launched an immediate investigation and issued a public statement on May 20, confirming the breach. GitHub’s security team stated: “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of approximately 3,800 repositories are directionally consistent with our investigation so far.”
TeamPCP had already posted the stolen data for sale on the Breached cybercrime forum by the time GitHub confirmed the incident. The group listed the material with a minimum asking price of $50,000 for a single buyer, and stated it would release everything publicly for free if no buyer came forward. The framing, sale rather than ransom, distinguishes TeamPCP from typical ransomware operators and points to a business model built around developer intelligence.
GitHub was explicit that customer data stored outside its internal repositories was not impacted. Enterprise customer code, public repositories, and private user repositories were not accessed. The breach was contained to GitHub’s own internal development infrastructure. GitHub also confirmed it would notify any customer if evidence of wider impact emerged as the investigation continued.
Despite the scope limitation, the nature of what was stolen, internal source code, infrastructure configurations, and credential material from GitHub’s own development pipeline, makes this breach qualitatively different from a typical customer data exposure. Internal repositories at a platform provider reveal how the platform itself is built and secured, creating a blueprint that sophisticated attackers can use for months or years afterward.
The Attack Chain: 5 Steps That Took 18 Minutes
The TeamPCP attack on GitHub was not improvised. It followed a methodical supply chain exploitation chain that began weeks before the GitHub breach itself, with a separate compromise of the TanStack open source ecosystem. Each step built on the last, and the final exfiltration of 3,800 repositories was, in effect, a scripted operation executed in minutes once the right credentials were in hand.
From TanStack to Nx Console to GitHub
Step 1: Compromise the TanStack ecosystem. TeamPCP’s initial foothold came via a prior supply chain attack against TanStack, a widely used set of open-source JavaScript tools for routing, data fetching, and state management. Through that compromise, TeamPCP gained access to a developer who also maintained the Nx Console VS Code extension.
Step 2: Poison the Nx Console extension. With access to the Nx developer’s system, TeamPCP pushed a backdoored version of Nx Console, version 18.95.0, to the Visual Studio Code Marketplace on May 18, 2026. Nx Console is a legitimate, widely installed extension for Angular and monorepo development workflows. The malicious build appeared identical to the legitimate version from the user perspective.
Step 3: Let auto-update distribute the payload. VS Code auto-updates installed extensions by default, without user confirmation. Within minutes of the malicious version going live, developer machines across the industry began pulling the update automatically. The malicious build was active on the marketplace for just 18 minutes before detection and removal, but that window was enough.
Step 4: Harvest credentials and exfiltrate. When triggered, the malicious extension ran a shell command on the affected developer machine, collected credentials from 1Password vault data, GitHub tokens, SSH keys, AWS credentials, and Anthropic Claude Code configurations, then double-encrypted the output and pushed it to a public GitHub repository. TeamPCP used GitHub itself as the exfiltration channel, a decision that delayed detection because the outbound traffic looked like normal GitHub API usage.
Step 5: Clone at scale using stolen SSH keys. TeamPCP decoded the exfiltrated output offline, extracted the GitHub SSH keys and tokens, and used them to clone 3,800 internal repositories in a scripted, automated operation. The group’s self-replicating tool, referred to in security reporting as Mini Shai-Hulud (an adaptation of a worm first documented in 2025), automated the credential-to-clone pipeline entirely.
Why Auto-Update Is the Delivery Mechanism
VS Code auto-update is enabled by default for all users and extensions do not require user confirmation to update. This design choice, intended to ensure security patches reach users automatically, becomes the mass distribution mechanism for supply chain malware the moment an attacker controls an extension publisher account or compromises an existing publisher’s release pipeline. An 18-minute window on the marketplace translated into thousands of silent installs across the global developer population, with no user interaction required.
What TeamPCP Stole: Credential Types and Data Value
The credential types harvested from affected developer machines were carefully chosen to maximize downstream access. Each category represents a different attack surface that TeamPCP could exploit or sell separately. The specificity of the targeting, including AI coding tool configurations, signals that TeamPCP had researched the typical developer machine’s credential profile before designing the malicious extension payload.
| Credential Type Stolen | Primary Risk | Downstream Attack Surface |
|---|---|---|
| GitHub tokens and SSH keys | Repository cloning, code modification, CI/CD pipeline access | Any organization using GitHub for development |
| AWS credentials | Cloud infrastructure access, data exfiltration, compute abuse | Cloud-hosted applications and storage buckets |
| 1Password vault data | Access to all stored passwords, API keys, and secrets | All services with credentials stored in the vault |
| Anthropic Claude Code configs | AI assistant access, prompt injection, persistent session data | Developer AI tooling and Anthropic API keys |
| Internal GitHub API schemas | Platform reconnaissance for future attacks | GitHub infrastructure and partner integrations |
The inclusion of Anthropic Claude Code configurations is significant. It indicates that TeamPCP specifically targeted developer machines running AI coding assistants, which frequently hold persistent API tokens and project-level context. As AI coding tools become standard infrastructure for development teams, they introduce a new credential category that organizations have not historically included in their secret rotation procedures. The GitHub breach is the first major confirmed incident in which AI tool credentials appear explicitly in the attacker’s exfiltration payload.
GitHub confirmed it immediately rotated critical secrets, prioritizing the highest-impact credentials first: “Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first. We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity.”
Who Is TeamPCP? The Financially Motivated Group Behind the Breach
TeamPCP is a financially motivated hacking collective that Google’s Threat Intelligence team tracks under the identifier UNC6780. The group specializes in developer supply chain attacks, targeting the tooling and automation infrastructure that developers rely on rather than attacking production systems directly. Their choice to sell stolen data rather than demand ransoms aligns with a growing segment of cybercriminal operations that treat intellectual property and developer credentials as persistent commodities rather than one-time leverage.
The group’s use of Mini Shai-Hulud demonstrates a level of technical sophistication beyond typical ransomware operators. The worm was designed to automate the CI/CD credential theft-to-publish cycle: it steals credentials from one developer’s machine, uses those credentials to publish infected versions of further packages, and propagates the infection to the next developer who installs those packages. In this way, TeamPCP’s initial TanStack compromise seeded the Nx Console attack, which in turn targeted GitHub’s internal developer fleet.
The monetization model is also distinctive. Rather than holding data hostage, TeamPCP offered the GitHub repositories on the Breached forum with a clear price structure: $50,000 for exclusive access, or the data gets released publicly. This approach eliminates the negotiation cycle of traditional ransomware and shifts leverage entirely to the attacker, who benefits from a sale if a buyer appears or from notoriety and downstream exploitation opportunities if the data goes public. The public leak threat also creates pressure on GitHub to respond quickly, regardless of whether the data has commercial value to an external buyer.
Security researchers at ArmorCode, who published a detailed technical analysis of the breach, characterized the attack as “a clear signal about where the next wave of software supply chain attacks is heading.” Their assessment points to developer tooling, specifically IDE extensions and package managers, as the new perimeter that enterprise security teams must defend, replacing the network edge that zero-trust architectures have already made less relevant as a primary control.
GitHub’s Incident Response: Isolation, Rotation, and Disclosure Timeline
GitHub’s response to the breach followed a three-phase structure: containment, credential rotation, and public disclosure. The company isolated the infected developer endpoint within hours of detecting the breach on May 19. The malicious Nx Console extension was removed from the VS Code Marketplace in coordination with Microsoft, and GitHub worked to prevent future installations of the compromised version.
GitHub stated it began rotating the highest-impact credentials the same day detection occurred, continuing overnight to cover the full scope of potentially exposed secrets: “We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” The security team analyzed logs to validate rotation completeness and monitored for any follow-on activity suggesting the stolen credentials were already in use.
Public disclosure came on May 20, 2026, just one day after detection. This is an unusually fast turnaround for a breach of this complexity. The speed of disclosure reflects both GitHub’s awareness of the public interest and the reality that TeamPCP had already publicized the breach on the Breached forum before GitHub confirmed it. The company’s statement was measured and specific: acknowledging the approximate repository count while not characterizing the full impact as resolved while the investigation remained open.
GitHub committed to notifying customers directly if the investigation uncovered evidence of impact beyond internal repositories. No such notification has been issued as of June 18, 2026, consistent with GitHub’s assessment that customer data outside its internal repositories was not affected.
The VS Code Marketplace Security Problem: Numbers That Context the Breach
The GitHub breach did not happen in isolation. It landed on top of a VS Code extension ecosystem that security researchers have documented as systemically exposed at scale. Research by Koi Security found that the roughly 60,000 extensions hosted on the marketplace accumulate over 3.3 billion total installs, with the average developer running 40 extensions simultaneously. The scale of the marketplace makes the malicious extension attack surface very large, and the data on what already exists on the marketplace is alarming.
| VS Code Security Metric | Count | Source |
|---|---|---|
| Total extensions on marketplace | ~60,000 | Koi Security, 2024 |
| Total marketplace installs | 3.3 billion | Koi Security, 2024 |
| Extensions with verified malicious dependencies | 1,283 | Koi Security, 2024 |
| Combined installs of malicious-dependency extensions | 229 million | Koi Security, 2024 |
| Extensions communicating with hardcoded IP addresses | 8,161 | Koi Security, 2024 |
| Extensions with hardcoded secrets embedded | 267 | Koi Security, 2024 |
| Leaked secrets in VS Code and Open VSX extensions | 500+ | Wiz Research, October 2025 |
| Install base exposed by leaked marketplace PATs | 85,000+ | Wiz Research, October 2025 |
| Extensions reviewed for malicious code (2025) | 136 | Microsoft Developer Blog, 2025 |
| Extensions removed for malicious code (2025) | 110 | Microsoft Developer Blog, 2025 |
Wiz Research’s October 2025 report uncovering 500+ leaked secrets across VS Code and Open VSX extensions highlighted a specific risk that the GitHub breach later validated: leaked VS Code Marketplace PATs grant the ability to push updates to an extension, not just read it. An attacker who finds a leaked PAT inside an existing extension can silently publish a malicious update to that extension’s entire install base without any additional account compromise. This is precisely the mechanism TeamPCP exploited through the compromised Nx developer account’s publisher access.
In January 2026, two VS Code extensions with a combined 1.5 million installs were found exfiltrating developer data to servers in China. Microsoft removed them after the issue was reported, but both had operated undetected for months. Microsoft has since deployed secrets scanning and sandbox-based dynamic detection for new submissions, but the review pipeline does not catch all threats, as the Nx Console incident proves. When a compromised publisher account pushes a trojanized update through the normal release channel, it bypasses many of the controls designed for new extension submissions.
Why Developer Credentials Are the Highest-Value Target in 2026
The targeting of developer machines represents a fundamental shift in attacker logic. Traditional breaches went after databases holding customer records or financial data. Developer credential theft goes after the keys to every system a development team builds, maintains, and secures. A single developer with broad access to an organization’s GitHub repositories, AWS environment, and internal tooling is a higher-value target than a customer service employee with access to billing records, because the developer’s credentials unlock the systems that hold everyone else’s data.
The credentials harvested in the TeamPCP attack illustrate this logic precisely. GitHub SSH keys and tokens provide read and write access to every repository the affected developer had permissions for. AWS credentials can be used to access cloud storage, spin up compute instances for further attacks, or exfiltrate data at scale. 1Password vault contents give the attacker access to every service the developer authenticates against, typically dozens or hundreds of services across internal and external systems. The combination is, effectively, a master key to the developer’s entire professional life.
CI/CD pipelines compound the risk further. A developer with permissions to push code to a repository can, in many organizations, trigger automated deployments to production infrastructure. A stolen GitHub token carrying those permissions gives TeamPCP a potential path from credential theft to production system compromise without any additional exploitation steps. ArmorCode characterized the GitHub breach as an “infrastructure intelligence leak” rather than a standard data breach precisely because it crosses this threshold: from data about users to data about how the platform itself is built and operated.
The scale of GitHub’s user base amplifies the stakes. With 180 million developers on the platform and 90 percent of Fortune 100 companies using GitHub for development, any compromise of GitHub’s own infrastructure is, by extension, an intelligence operation against the backbone of global software production. The breach does not need to yield immediate exploitation to be valuable. The architectural and operational knowledge contained in 3,800 internal repositories has strategic value that persists for years.
The TanStack Link: How One Supply Chain Compromise Enables the Next
The GitHub breach did not begin with GitHub. It began with TanStack, a widely used collection of open-source JavaScript libraries for routing, data fetching, and state management. TeamPCP’s earlier compromise of the TanStack ecosystem gave them access to a developer who also maintained the Nx Console VS Code extension. That developer’s compromised system became the staging ground for the poisoned Nx Console update that ultimately reached GitHub’s internal developer fleet.
This chaining behavior, where one supply chain compromise enables the next, is the defining characteristic of how sophisticated supply chain attacks operate in 2026. TeamPCP’s Mini Shai-Hulud worm is purpose-built to automate this chain. The worm steals CI/CD credentials from a compromised machine, uses those credentials to publish infected versions of packages or extensions, and lets the infected packages propagate the attack to the next tier of developers who install them. Each newly infected developer machine becomes a node in TeamPCP’s distribution network, with no further action required from the attackers.
The TanStack-to-Nx-to-GitHub chain demonstrates that open-source maintainers are high-value initial access targets precisely because compromising one maintainer can reach every downstream project, organization, and developer that depends on their work. Security teams must now treat their entire vendor and open-source dependency graph as a potential attack path, not just the direct suppliers they have formal vendor agreements with. A JavaScript routing library that 500,000 developers use carries attack surface that no current vendor risk management framework adequately captures.
Market Impact: Supply Chain Attacks Intensify Across the Software Industry
The GitHub breach arrives during a period of intensifying supply chain attacks across the software industry. The npm ecosystem faced 1.2 million malicious packages in the months preceding this incident. Earlier in 2026, major security tools including Aqua Security’s Trivy vulnerability scanner, Bitwarden, and Checkmarx were compromised through supply chain vectors, allowing attackers to steal passwords, credentials, and sensitive tokens from the computers of developers who installed or auto-updated the backdoored software. The pattern, attacking the tools that developers trust most, is consistent and deliberate.
The financial cost of developer supply chain breaches is difficult to quantify directly, because the damage often manifests in follow-on attacks using stolen credentials rather than in the initial breach event itself. The Cloudflare 2026 Threat Report documented 31.4 Tbps record attacks that partly trace back to compromised developer infrastructure. The relationship between upstream supply chain compromises and downstream attack capability is direct but frequently invisible in breach accounting.
The GitHub breach is likely to accelerate several trends already visible in enterprise security investment. Organizations are implementing extension allowlisting policies, restricting VS Code auto-update, and deploying monitoring for developer machine credential access. Microsoft’s November 2025 announcement of VS Code Private Marketplace capability indicated that demand for controlled, enterprise-managed extension distribution was already building before the GitHub incident. That product is now positioned as a direct response to a confirmed large-scale breach rather than a theoretical risk mitigation.
For GitHub specifically, the breach raises questions about the security of internal development infrastructure at major code hosting platforms. GitLab, Bitbucket, Azure DevOps, and similar platforms should treat the GitHub incident as a direct threat model for their own environments. The attack surface is identical: developer machines with IDE extensions, credential storage, and CI/CD access exist at every platform that relies on human developers as part of its software supply chain.
Historical Context: VS Code Extension Attacks Before the GitHub Breach
The GitHub breach did not emerge from a vacuum. The VS Code extension ecosystem has been under active exploitation for at least two years, and the pattern of incidents shows an escalation in attacker ambition and technical sophistication that the May 2026 incident represents the current peak of.
In May 2024, three VS Code extensions impersonating Automated Logic Corporation were published on the marketplace and remained active for months before Checkmarx began systematic takedown work in September 2025. Those extensions collected usernames, OS details, and network interface data, exfiltrating them to hard-coded endpoints. They targeted building automation developers specifically, demonstrating that even niche developer communities are considered viable supply chain attack targets.
In December 2025, Microsoft removed three extensions from the BigBlack publisher after researchers documented stealer malware behavior, including downloading additional payloads and taking screenshots. The extensions had limited installs, below 50 each. This underscores that attacker success does not depend on broad install numbers when the target is a specific high-value developer rather than a mass audience. A single developer with the right credentials is worth more than ten thousand users with no privileged access.
In January 2026, two malicious VS Code extensions with a combined 1.5 million installs were found actively exfiltrating developer data to servers in China. That incident generated significant public coverage. Yet the Nx Console attack succeeded just four months later, suggesting that industry awareness has not translated into the systemic configuration changes and access controls needed to reduce the actual attack surface.
What Developers and Security Teams Must Do Now
The GitHub breach produces a clear action agenda for development teams and enterprise security organizations. The risk is active, not theoretical, and it exploits default configurations that most developers and organizations have not changed. The following controls directly address the attack vector TeamPCP used in the May 2026 breach.
Disable VS Code auto-update for extensions. In VS Code settings, set extensions.autoUpdate to false and extensions.autoCheckUpdates to false. Review and approve extension updates manually, especially for extensions that access the file system, run shell commands, or have CI/CD integration. This single configuration change eliminates the primary distribution mechanism TeamPCP used.
Audit installed extensions across your developer fleet immediately. Run an inventory of all VS Code extensions on developer machines. Remove unused extensions. Review the permissions and network behavior of extensions with high access levels. Treat Nx Console version 18.95.0 as a confirmed indicator of compromise and check for its presence in your environment logs.
Rotate credentials on affected machines. If your organization’s developers had Nx Console installed and auto-update enabled between May 18 and May 19, 2026, rotate all GitHub tokens, SSH keys, AWS credentials, and password manager contents for those machines. Do not assume the malicious version did not execute before removal from the marketplace.
Implement VS Code Private Marketplace or extension allowlisting. Microsoft’s VS Code Private Marketplace, announced in November 2025, allows organizations to restrict which extensions developers can install to a curated, approved list. This is the structural control that prevents a single poisoned publisher account from reaching your developer fleet. Organizations using GitHub Enterprise or similar platforms should treat this as a critical security control, not an optional policy.
Treat AI coding tool configurations as secrets requiring rotation. API keys for Anthropic Claude Code, GitHub Copilot, and similar AI coding tools should be rotated on the same schedule as other developer credentials. They should not sit in plaintext configuration files that extension code can access. The GitHub breach confirmed that AI tool credentials are actively targeted, not merely theoretically at risk.
Expert Predictions: Developer Supply Chain Security Through 2027
The GitHub breach is a reference incident that will shape attacker behavior and defender investment for years. Based on the attack patterns documented in 2025 and 2026, five predictions are supported by current evidence.
Prediction 1: Extension marketplace attacks will increase in frequency. The 18-minute window that enabled the GitHub breach reflects the current state of marketplace security response times. As attackers automate the malicious-update publish-and-exfiltrate cycle using tools like Mini Shai-Hulud, the attack-to-exfiltration window will compress further. Marketplace providers will need real-time behavioral monitoring of extension updates, not periodic batch scans, to keep pace. Expect Microsoft to announce enhanced real-time extension vetting within six months of the GitHub breach.
Prediction 2: AI tool credential theft becomes a distinct threat category. The targeting of Anthropic Claude Code configurations in the GitHub breach signals that AI coding assistant credentials are on the attacker priority list. Within 12 months, security incident reports will routinely include AI tool API key theft as a separate line item in credential loss accounting, distinct from traditional GitHub tokens and AWS keys. Organizations that have not yet added AI tool credentials to their rotation schedules are behind on this control today.
Prediction 3: Private extension marketplaces become a compliance requirement. Following the GitHub breach, enterprise security frameworks including SOC 2 and ISO 27001 implementations will increasingly require organizations to operate controlled extension inventories. Expect extension allowlist policies to appear in vendor security questionnaires and RFPs within two years, treating open marketplace access the same way that unrestricted package installation from public registries is now treated in mature security programs.
Prediction 4: Supply chain chaining attacks target more open-source maintainers directly. The TanStack-to-Nx-to-GitHub chain demonstrates that open-source maintainers are high-value initial access targets. Compromising one maintainer reaches every downstream project and developer that depends on their work. Expect threat actors to invest more heavily in social engineering and credential theft campaigns targeting maintainers of widely used JavaScript, Python, and Rust ecosystem packages through 2026 and 2027.
Prediction 5: GitHub expands platform security monitoring to the developer endpoint. GitHub Advanced Security and similar tools have historically focused on code scanning and secret detection within repositories. The GitHub breach creates direct product incentive for GitHub to expand monitoring to the developer machine environment, flagging unauthorized extension updates and credential access events before they result in repository compromise. This capability, connecting endpoint telemetry to repository access patterns, would represent the most meaningful advancement in developer supply chain security since Dependabot launched in 2019.
Frequently Asked Questions
Was customer code stored on GitHub affected by the TeamPCP breach?
No. GitHub confirmed that customer data stored outside its internal repositories was not impacted. Enterprise customer repositories, public repositories, and private user repositories were not accessed. The breach was limited to GitHub’s own internal development repositories. GitHub committed to notifying customers directly if the investigation found evidence of wider impact, and as of June 18, 2026, no such notification has been issued.
How did TeamPCP get publisher access to push a malicious Nx Console update?
TeamPCP used an earlier supply chain compromise of the TanStack JavaScript ecosystem to gain access to a developer who also maintained the Nx Console VS Code extension. With that access to the Nx developer’s system (and presumably their marketplace publisher credentials), they pushed the backdoored version 18.95.0 to the VS Code Marketplace on May 18, 2026. The malicious build was live for 18 minutes before detection and removal, but VS Code’s auto-update feature had already distributed it during that window.
Should developers who had Nx Console installed rotate their credentials?
Yes. If VS Code auto-update was enabled and Nx Console was installed on a developer machine between May 18 and May 19, 2026, treat that machine as potentially compromised. Rotate all GitHub tokens, SSH keys, AWS credentials, and password manager contents for those machines, and review access logs for unusual activity in the days following May 18. Check whether the malicious Nx Console version (18.95.0) appears in your VS Code extension history before assuming you were unaffected.
What is TeamPCP and what other attacks have they conducted?
TeamPCP, tracked by Google Threat Intelligence as UNC6780, is a financially motivated hacking group specializing in developer supply chain attacks. Rather than demanding ransoms, they sell stolen developer credentials and source code. The group deploys the Mini Shai-Hulud worm, which automates the process of stealing CI/CD credentials and using them to publish further infected packages, enabling cascading supply chain compromises. The TanStack compromise that preceded the GitHub breach is the most detailed documented prior operation attributed to TeamPCP in public reporting.
How can organizations prevent VS Code extension supply chain attacks?
The most effective controls are: disabling VS Code auto-update for extensions (set extensions.autoUpdate: false), implementing an extension allowlist via Microsoft’s VS Code Private Marketplace, auditing installed extensions across all developer machines, and treating extension publisher accounts and marketplace PATs as critical secrets subject to rotation and monitoring. Organizations should also add AI coding tool API keys to their credential rotation program. Wiz Research found 500+ leaked secrets in VS Code extensions in October 2025, many of which granted publisher access that could be used exactly as TeamPCP used it.
Is this the first time a VS Code extension was used to breach a major company?
The GitHub breach is the highest-profile confirmed incident involving a VS Code extension as the initial attack vector. Prior incidents include the January 2026 discovery of two extensions with 1.5 million combined installs exfiltrating data to China, the December 2025 BigBlack stealer extension removals, and a 2024 brand-impersonation campaign against building automation developers. However, none of those prior incidents resulted in the confirmed breach of a major platform’s internal development infrastructure at the scale of the GitHub incident.
What data did the malicious Nx Console extension specifically collect?
The malicious Nx Console version 18.95.0 harvested: GitHub tokens and SSH keys, AWS credentials, 1Password vault data, Anthropic Claude Code configurations, and general developer credentials stored on the affected machine. The payload double-encrypted the collected material and pushed it to a public GitHub repository before TeamPCP decoded it offline. GitHub used the exfiltrated SSH keys to clone approximately 3,800 of GitHub’s internal repositories in a scripted automated operation.
Related Coverage
For context on the broader supply chain and threat landscape around the GitHub breach:
- npm Supply Chain Attacks: 1.2M Malicious Packages Targeting Developers
- AI Cyberattacks: 90% Autonomous, 40,000 Vulnerabilities Discovered
- Ransomware Groups Up 49%: 8,159 Victims Across 2025
- ShinyHunters Breach Odido: 6.5M Records, $1M Ransom Demanded
- Cloudflare 2026 Threat Report: 47 Million Attacks, 31.4 Tbps Record
- Security Analysis and Threat Intelligence Hub
