GitHub: 3,800 Internal Repos Exfiltrated via Trojanized VS Code Extension

GitHub confirmed on May 20, 2026, that approximately 3,800 of its internal repositories were exfiltrated after an employee installed a trojanized version of the VS Code Nx Console extension. The malicious package was distributed by the threat actor group TeamPCP via the Visual Studio Marketplace for a window of just 18 minutes on May 18. The incident underscores a systemic security gap: IDE extensions operate with elevated privileges on developer machines, often eluding corporate security tools, while auto-update features provide a direct distribution channel without mandatory review gates.

18 Minutes on the Marketplace, Weeks of Fallout

The exposure window was remarkably brief but highly effective. According to reporting from The Hacker News, the trojanized extension was published to the Visual Studio Marketplace at 12:30 UTC on May 18, 2026, and removed by 12:48 UTC. However, VS Code’s default auto-update mechanism transformed that 18-minute window into a mass distribution event.

Jeff Cross, co-founder of Nx, later stated that proprietary analytics suggest over 6,000 installations of version 18.95.0 occurred—a figure drastically higher than the 28 cited by Microsoft. This discrepancy highlights the gulf between marketplace installation metrics and actual propagation via automated client updates.

The group TeamPCP claimed the operation on cybercriminal forums, listing the stolen data with a starting price of $50,000. GitHub has not officially attributed the attack to the group, but characterized their claims about the scale of the repository compromise as "directionally consistent" with the findings of their internal probe.

The MCP Mechanism as a Smokescreen

The technical core of the attack involved social engineering applied to the Model Context Protocol (MCP), a protocol designed to standardize interactions between IDEs and external services. The compromised extension looked and functioned identically to the legitimate Nx Console version, but triggered a silent shell command upon its first launch.

"On startup it silently ran a single shell command that downloaded and executed a hidden package from a planted commit on the official nrwl/nx GitHub repository. The command was disguised as a routine MCP setup task so it would not raise suspicion." — Nir Zadok, OX Security

The malicious package was hosted within a planted commit on the official nrwl/nx repository, effectively using GitHub’s own infrastructure as a secondary distribution vector. Once executed, the malware functioned as a multi-target credential stealer, harvesting sensitive data from 1Password vaults, Anthropic Claude Code configurations, npm credentials, GitHub tokens, and AWS keys. This occurred with privileges equivalent to the VS Code editor, granting the attacker full access to the developer's filesystem and resources.

This attack architecture demonstrates how the compromise of a single corporate device can trigger a chain of access, propagating via stolen credentials into the platform's internal systems—in this case, allowing access to approximately 3,800 internal GitHub repositories.

The Developer Workstation Blind Spot

The GitHub incident highlights a structural disconnect in the security posture of modern tech companies. VS Code extensions are installed with high privileges, often without dedicated security reviews, and operate in a space that traditional Endpoint Detection and Response (EDR) tools do not effectively monitor.

As Charlie Eriksen, security researcher at Aikido Security, observed: "The thing people underestimate about VS Code extensions is that they have full access to everything on the developer's machine. EDR doesn't cover this layer at all." The lack of visibility into developer workstations represents a systematically underestimated attack vector.

Raphael Silva, also of Aikido Security, emphasized the risks inherent in auto-updates: "Every popular extension marketplace ships with auto-update on by default... Auto-update gives an attacker who controls a release a direct push channel into every machine running that extension. Marketplaces don't impose any review gate or waiting period between when an update is published and when installed clients pull it in." This mechanism turns every update into a potentially critical security event with no buffer for verification.

Mackenzie Jackson of Aikido Security summarized the scale of the problem: "A single VS Code extension on one employee's machine was enough to get access to 3,800 internal GitHub repositories. Most security teams still have zero visibility into what extensions or packages are on their developers' machines, or how recently they were published. That's the blind spot these attacks keep walking through."

The Extension Trust Model Under Fire

Roy Akerman, head of cloud security and identity at Silverfort, framed the unique nature of the breach: "A VS Code extension runs with the same privileges as the editor itself, and once installed it has access to everything the developer can reach... What makes this breach remarkable isn't the entry point, it's that TeamPCP used GitHub's own infrastructure as the weapon end to end." This observation captures the insidious symmetry of the attack: the code hosting platform became simultaneously the vector, the vehicle, and the target.

The case is part of a series of compromises attributed to TeamPCP, which has demonstrated sophisticated capabilities in infiltrating software supply chains over recent months. It remains unclear from available sources if the initial compromise of the Nx maintainer account is directly linked to the recent attack on TanStack, nor is it known if other organizations beyond GitHub were affected during the 18-minute availability window.

Alexis Wales, Chief Information Security Officer at GitHub, stated: "We have no evidence of impact to customer information stored outside of GitHub's internal repositories, such as our customer's own enterprises, organizations, and repositories." The company has since proceeded with rotating critical secrets as a precautionary measure.

Mitigation and Response

For organizations managing development environments, this incident necessitates immediate and concrete measures:

• Extension Audits: Verify all VS Code extensions present on developer devices, with a specific focus on nrwl.angular-console v18.95.0, and immediately remove suspicious or unverified versions.
• Selective Auto-Update Disabling: Evaluate policies that require manual approval before automatically installing extension updates, particularly for those with access to credentials or sensitive resources.
• Secret Rotation: Assume that GitHub, AWS, npm credentials, and password vaults have been compromised if the malicious extension was installed on any corporate device between May 18 and May 20, 2026. Rotate all potentially exposed tokens and keys.
• Implement IDE-Layer Visibility: Integrate security posture tools specific to the development environment, as traditional EDR does not cover extension behavior. Monitor network communications initiated by VS Code and any child processes spawned by the editor.

This breach demonstrates that supply chain security can no longer stop at the source code; it must extend to the tools developers use to manipulate it. When a single compromised extension can facilitate access to thousands of repositories on one of the world’s most critical hosting platforms, the defensive perimeter inevitably shifts from the cloud to the individual workstation.

Sources

• https://thehackernews.com/2026/05/github-internal-repositories-breached.html
• https://cyberscoop.com/github-internal-repositories-vs-code-extension-attack/
• https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/
• https://www.securityweek.com/github-confirms-hack-impacting-3800-internal-repositories/
• https://www.darkreading.com/application-security/github-confirms-breach-4k-internal-repos-stolen