Executive Summary
On May 18, 2026, a compromised version of the Nx Console Visual Studio Code extension was published to the official marketplace, resulting in a significant supply chain attack that impacted the software development ecosystem. The malicious extension, live for approximately 11–18 minutes, was installed by thousands of users and enabled attackers to exfiltrate credentials and internal source code repositories from affected organizations, including approximately 3,800 internal repositories from GitHub. The attack leveraged a stolen contributor’s GitHub token to push a malicious orphan commit and publish the compromised extension. The payload harvested a wide range of secrets, including cloud, CI/CD, and AI coding assistant credentials, and established persistent access on macOS systems. The threat group TeamPCP claimed responsibility for the breach. All major claims in this report are corroborated by at least three independent sources, with explicit URLs and dates provided.
Technical Information
The attack began with the theft of a contributor’s GitHub token, which was used to push an orphan commit containing an obfuscated JavaScript payload to the official nrwl/nx repository. This payload was then fetched and executed by the malicious Nx Console extension (version 18.95.0) once installed from the Visual Studio Code Marketplace. The extension was available for 11–18 minutes and had over 2.2 million installs, with estimates of over 6,000 affected installs during the compromise window. The payload harvested credentials and secrets from a wide range of sources, including GitHub, npm, AWS, HashiCorp Vault, Kubernetes, 1Password, and configuration files for AI coding assistants such as Claude Code. Exfiltration was performed via HTTPS, the GitHub API, and DNS tunneling.
Persistence was achieved on macOS systems by installing a Python backdoor and leveraging the GitHub Search API as a dead-drop for further commands. Filesystem indicators included artifacts such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /tmp/kitty-*, and /var/tmp/.gh_update_state. The attack chain mapped to several MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1546.001 (Event Triggered Execution: Launch Agent), T1555 (Credentials from Password Stores), and T1041/T1048 (Exfiltration Over C2 Channel/Alternative Protocol). The payload also scanned process memory for secrets, increasing the breadth of credential exposure.
The threat group TeamPCP claimed responsibility for the attack and advertised the stolen data on cybercrime forums. This group has a history of targeting software supply chains and developer ecosystems, including previous attacks on npm and PyPI packages. Attribution confidence is assessed as medium, based on public claims and technical overlap with prior incidents.
The breach demonstrates the fragility of modern development environments and the risks posed by trusted third-party tools. It highlights the need for robust supply chain security, device-level protection, and rapid credential rotation in response to such incidents. All technical claims are supported by direct evidence, including payload hashes, filesystem artifacts, and network analysis, with confidence levels and sources explicitly stated.
Affected Versions & Timeline
The affected product was the Nx Console Visual Studio Code extension, specifically version 18.95.0, published on May 18, 2026. The malicious extension was available on the Visual Studio Code Marketplace for approximately 11–18 minutes before being detected and removed by the Nx team at 12:47 UTC. The attack began with the theft of a contributor’s GitHub token, which was used to push the orphan commit and publish the compromised extension. On May 19, 2026, GitHub publicly disclosed that approximately 3,800 internal repositories were exfiltrated as a result of the attack. By May 20, 2026, security researchers and the open source community had confirmed the link between the GitHub breach and the Nx Console compromise, and TeamPCP claimed responsibility. The Nx team released updated versions of the extension (18.100.0 and later) to remediate the issue.
Threat Activity
The threat actor, identified as TeamPCP, executed a supply chain attack by compromising the Nx Console extension. The attack chain involved the theft of a GitHub token, the creation of a malicious orphan commit, and the publication of a compromised extension to the Visual Studio Code Marketplace. Once installed, the extension fetched and executed an obfuscated payload that harvested credentials and secrets from a wide range of sources, including cloud providers, CI/CD pipelines, password managers, and AI coding assistants. The payload established persistence on macOS systems and exfiltrated data via multiple channels. TeamPCP has a documented history of targeting developer tools and supply chain components, and their tactics, techniques, and procedures (TTPs) in this incident align with previous campaigns. The group advertised the stolen data for sale on cybercrime forums, increasing the risk of downstream attacks and credential abuse.
Mitigation & Workarounds
The most critical mitigation is to update the Nx Console extension to version 18.100.0 or later, which is confirmed to be free of the malicious payload. Organizations must immediately rotate all credentials that were accessible from affected machines, including GitHub, npm, AWS, HashiCorp Vault, Kubernetes, 1Password, and any other secrets stored in environment files or process memory. It is essential to kill any orphaned daemon processes and remove persistence artifacts, such as the Python backdoor and associated LaunchAgent plist files on macOS systems. Audit all logs for unauthorized activity, especially access to internal repositories and cloud resources, and consider rebuilding affected developer machines to ensure complete remediation. Device-level protection and minimum age policies for extensions should be implemented to reduce the risk of future supply chain attacks. These actions are prioritized as critical due to the breadth of credential exposure and the potential for further compromise.
References
StepSecurity, "Nx Console VS Code Extension Compromised," May 18, 2026 https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised
Aikido Security, "GitHub breached via a malicious VS Code extension," May 20, 2026 https://www.aikido.dev/blog/github-breached-vs-code-extension
CyberScoop, "GitHub says internal repositories were impacted in poisoned VS Code extension attack," May 20, 2026 https://cyberscoop.com/github-internal-repositories-vs-code-extension-attack/
Visual Studio Magazine, "Threat Actors Keep Weaponizing VS Code Extensions," Dec 8, 2025 https://visualstudiomagazine.com/articles/2025/12/08/threat-actors-keep-weaponizing-vs-code-extensions.aspx
ReversingLabs, "A new playground: Malicious campaigns proliferate from VSCode to npm," 2025 https://www.reversinglabs.com/blog/a-new-playground-malicious-campaigns-proliferate-from-vscode-to-npm
MITRE ATT&CK Framework https://attack.mitre.org/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain. Our platform enables continuous visibility into third-party dependencies, automated risk scoring, and actionable alerts for emerging threats. For questions about this incident or to discuss how to strengthen your supply chain security posture, contact us at ops@rescana.com.
