– Attack exploited developer tooling and supply chain: a poisoned VS Code extension and compromised packages allowed credential theft and broad access without breaching perimeters.
– Rapid, worm-like propagation: from TanStack package compromise to an Nx Console build, then wider exfiltration across CI/CD pipelines, affecting thousands of repos in minutes.
– High-severity, cross-vendor impact: targets included GitHub, OpenAI, and Mistral AI, with stolen credentials and internal code assets; some customer data exposure remains a possibility if further impact is discovered.
News Brief: Supply Chain Attack Targets Developer Tools
GitHub confirmed today that the breach of roughly 3,800 internal repositories traces back to a poisoned version of the Nx Console VS Code extension, itself a casualty of the TanStack npm supply chain attack. The campaign, attributed to threat actor group TeamPCP and codenamed Mini Shai-Hulud, has now claimed GitHub, OpenAI, and Mistral AI as confirmed victims, with developer credentials and internal source code the primary targets across all three.
Attack Timeline and Initial Breach
The attack began on May 11, 2026, when TeamPCP compromised TanStack’s entire router ecosystem, spreading a worm-like payload across 170 npm packages and two PyPI packages in a single coordinated campaign. CVE-2026-45321 carries a CVSS score of 9.6. From there, the compromise reached an Nx Console developer’s device, which TeamPCP used to push a malicious build of Nx Console 18.95.0 to the Visual Studio Marketplace.
Extension Takedown and Credential Theft
The trojanized extension was live for exactly 18 minutes, between 12:30 pm and 12:48 pm UTC on May 18, 2026. That window was enough. The extension ran silently on startup, executing a shell command disguised as a routine MCP setup task that downloaded a hidden package from a planted commit on the official Nx GitHub repository. The credential stealer it deployed targeted 1Password vaults, Anthropic Claude code configurations, npm tokens, GitHub tokens, and AWS credentials on any developer machine that installed it during the window.
Victim Impacts and Responses
A GitHub employee installed the extension. TeamPCP used the harvested credentials to move through CI/CD pipelines and exfiltrate approximately 3,800 internal repositories. GitHub CISO Alexis Wales confirmed the company has “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” though Wales acknowledged that some internal repos contain excerpts of customer support interactions and committed to notifying customers if any impact is discovered.
OpenAI and Mistral AI Findings
OpenAI confirmed two employee devices were compromised, with limited credential material exfiltrated from a subset of internal source code repositories. The company engaged a third-party digital forensics and incident response firm and is revoking its macOS app signing certificate in full on June 12, 2026. Mistral AI confirmed its npm and PyPI SDKs were trojaned as part of the same campaign, with TeamPCP advertising Mistral AI code repositories for sale on a cybercrime forum.
Common Theme and Expert Insight
The common factor among all victims is developer tooling. The attack never needed to breach a perimeter. It entered through packages and extensions that developers routinely install, then harvested the credentials those developers use to access everything else. OpenAI framed the implication directly: “This incident reflects a broader shift in the threat landscape — attackers are increasingly targeting shared software dependencies and development tooling rather than any single company.”
Broader Context and Ongoing Coverage
The breach lands as Microsoft is simultaneously dealing with its own unpatched vulnerability.
