TeamPCP Breaches GitHub via Poisoned Nx Console Extension

A Two-Step Supply Chain Attack That Ended in GitHub's Internal Source Code

On May 20, 2026 GitHub confirmed that attackers exfiltrated GitHub-internal source code repositories after a poisoned Visual Studio Code extension compromised an employee endpoint. The threat group, tracked publicly as TeamPCP and by Google Threat Intelligence Group as UNC6780, claims around 3,800 repositories taken; GitHub describes that figure as "directionally consistent" with its own investigation and says no customer information stored outside GitHub-internal repositories is affected.

The interesting part is not the breach. It is the chain. This is supply chain attack on top of supply chain attack, two hops deep before it reached a GitHub laptop.

Step 1: A Compromised Tanstack Contributor

The first link is a separate supply chain compromise on Tanstack, the popular open-source project family (TanStack Query, Router, Table, and more). Per the Nx team's own GitHub Security Advisory (GHSA-c9j4-9m59-847w), one of their developers was caught in that Tanstack compromise, and the attack leaked the developer's GitHub credentials by harvesting them through the GitHub CLI (gh). Whoever held those credentials could execute workflows as that contributor.

That contributor had push access to nrwl/nx and, transitively, to the credentials used to publish the Nx Console VS Code extension. The breach surface jumps domains: from one open-source project to another, by way of a developer who contributes to both.

Step 2: A Poisoned Nx Console 18.95.0

Nx Console is a Visual Studio Code extension with about 2.2 million installs. On May 18, 2026 the attacker pushed a malicious version, nrwl.angular-console 18.95.0. The Nx advisory documents the exposure windows precisely:

• Microsoft VS Code Marketplace: uploaded 12:30 UTC, unpublished 12:47 UTC. About 18 minutes live.
• OpenVSX (open registry mirror): published 12:33 UTC, unpublished 13:09 UTC. About 36 minutes live.

Marketplace download counters showed 28 downloads on Microsoft and 41 on OpenVSX, which is the visible number. Nx's own product analytics tell a different story: roughly 6,000 extension activations recorded after the attack, which is the number that actually matters for blast radius. Marketplace download counts do not capture auto-update fanout from already-installed copies.

What the Payload Did

The compromised extension fetched and executed an obfuscated payload (a 498 KB blob hidden in a dangling orphan commit on the real nrwl/nx repository, which is itself a clever trust laundering trick: the malicious code sits in the legitimate org's git history, just unreachable from any branch).

Per Nx's advisory, the payload harvested from any developer who opened a workspace:

• Vault tokens
• npm, AWS, and GitHub credentials
• 1Password CLI
• SSH keys
• Connection strings in environment files
• GCP and Docker credentials

Exfiltration went out three channels: HTTPS, the GitHub API itself (using the just-stolen tokens), and DNS tunneling. Linux machines also got a sudoers injection attempt for persistence. The cleanup runbook in the Nx advisory specifically calls out terminating __DAEMONIZED and cat.py processes and removing the persistence artifacts.

Step 3: Reaching GitHub

A GitHub employee was running Nx Console and updated to 18.95.0 inside the ~18 minute marketplace window. Whatever that employee had reachable - tokens, SSO sessions, GitHub-internal repository access - became reachable to TeamPCP. GitHub's official statement confirms exfiltration of GitHub-internal repositories only, with the attacker's ~3,800 figure called directionally consistent.

GitHub's response: the malicious extension version was removed, the endpoint was isolated, and incident response is in progress. TeamPCP is reportedly advertising the stolen repositories for sale, starting at $50,000.

The Same Crew, Again

TeamPCP / UNC6780 is the same threat group we wrote up last week, after they backdoored Microsoft's durabletask PyPI package (versions 1.4.1-1.4.3). Their target pattern is consistent: open-source developer tooling and security-adjacent utilities, where one compromise lets them ride downstream trust into a much larger blast radius. Prior victims reportedly include Aqua's Trivy scanner, Checkmarx KICS, and LiteLLM. They specialize in supply chain.

Two compromises in two weeks against developer ecosystems with millions of downstream installs is not coincidence. It is a campaign.

What To Do Today

If your team uses Nx Console:

1. Upgrade immediately to Nx Console 18.100.0 or later. Any version that was 18.95.0 in the May 18 window is suspect.
2. Hunt for the named processes on developer machines: __DAEMONIZED and cat.py. Their presence is direct evidence of payload execution.
3. Check for sudoers tampering on Linux dev boxes.
4. Rotate everything reachable from any potentially compromised endpoint: GitHub PATs, npm tokens, AWS keys, SSH keys, Vault tokens, 1Password CLI sessions, GCP and Docker credentials, and any .env content that includes connection strings.
5. Audit GitHub access logs for the affected window, in your own org. If a contributor used Nx Console, treat their token as compromised until proven otherwise.

If your team does not use Nx Console, the broader lesson still applies. Treat editor extensions as code that runs with the developer's full ambient credentials, because that is what they are. The trust surface is not just the editor; it is every IDE plugin, every gh-cached token, every "convenient" CLI authentication state.

Bottom Line

The exposure window was short. The marketplace download number looked small. The actual blast radius is two orders of magnitude larger, and it includes GitHub's own source code. The chain ran developer-to-project-to-marketplace-to-endpoint-to-enterprise, and at no point did it require a fancy zero-day. It required one stolen gh token, sitting in the right developer's home directory.

If you want a structured review of where your team's developer credentials and IDE extension surface actually expose you - and what a containment runbook looks like before an incident, not after - our security and compliance team handles exactly this kind of supply-chain exposure assessment.