TeamPCP Supply Chain Attack: Poisoned VS Code Extension Active 18 Minutes, GitHub Loses 3,800 Repos
TL;DR
A malicious Nx Console VS Code extension stayed live for just 18 minutes, yet TeamPCP managed to steal 3,800 GitHub internal repos, compromise two OpenAI employee devices, and put Mistral's source code up for sale on dark web forums.
A malicious update to the Nx Console VS Code extension appeared on the Visual Studio Marketplace at 12:30 pm UTC on May 18, 2026. Version 18.95.0 carried credential-harvesting code planted by TeamPCP, a threat actor group tracked by Mandiant as UNC6780. The extension stayed live for exactly 18 minutes.
By 12:48 pm, a GitHub engineer had installed it. Days later, GitHub confirmed approximately 3,800 internal repositories had been exfiltrated. OpenAI disclosed two employee devices were compromised, with limited credentials and source code access stolen. Mistral AI’s npm and PyPI SDKs were trojanized, and TeamPCP began advertising Mistral source code for sale on cybercrime forums.
The campaign goes by the name Mini Shai-Hulud.
The Attack Chain Started in npm
The timeline goes back to May 11. TeamPCP first infiltrated the TanStack router package ecosystem, coordinating a campaign that infected 170+ npm packages and two PyPI packages with a self-replicating worm payload.
Mini Shai-Hulud steals developer CI/CD credentials and uses them to publish new infected package versions, spreading further down the dependency graph. Once inside a CI/CD pipeline, propagation requires no further human interaction.
Nx Console was one link in that chain. The tool has 2.2 million installations, concentrated in engineering teams running Nx monorepo architectures. One employee updating to 18.95.0 on a company machine was sufficient for TeamPCP to establish a foothold.
Why VS Code Extensions Are a Genuine Attack Surface
Security researcher Charlie Eriksen put it plainly: VS Code extensions have full access to everything on the developer’s machine, including credentials, cloud keys, and SSH keys. There is no sandboxing model comparable to what a browser extension operates under.
The malicious Nx Console version silently executed a shell command disguised as a routine MCP setup task at startup, downloading a payload from a compromised GitHub repository. The credential harvester specifically targeted: 1Password vaults, Anthropic Claude configuration files, npm tokens, GitHub tokens, and AWS credentials.
Three Victims, Three Outcomes
GitHub: Approximately 3,800 internal repositories exfiltrated. GitHub confirmed no customer data outside its own internal repositories was accessed. Still, internal tooling, CI/CD scripts, and service configuration code in the wrong hands carries meaningful value for anyone planning a broader attack on the developer ecosystem.
OpenAI: Two employee devices compromised; a limited amount of credential material from a subset of internal source code repositories was extracted. OpenAI’s response includes revoking its macOS application code-signing certificate on June 12, requiring all users to reinstall from a fresh signed build.
Mistral AI: npm and PyPI SDKs trojanized. TeamPCP is actively advertising Mistral source code repositories for sale on a cybercrime forum. Of the three affected organizations, Mistral faces the most immediate and measurable exposure.
Target Selection Was Deliberate
Nx Console’s 2.2 million installs made it a wide attack surface, but the distribution of those installs matters more than the raw count. Nx is disproportionately used by engineers managing large-scale, multi-service codebases at organizations with significant infrastructure access. High access permissions and high-value credentials make this demographic a precise target, not just a large one.
Context: AI Companies as Infrastructure Targets
Last week, Anthropic published Project Glasswing month-one results: Claude Mythos Preview autonomously found 10,000+ critical vulnerabilities across 1,000 open-source projects. That was AI applied to defense.
The TeamPCP campaign illustrates the other direction. AI company development environments have become high-value targets for supply chain attackers. Source code and API credentials from labs like OpenAI or Mistral carry outsized leverage for downstream attacks across the developer ecosystem.
For enterprise security teams, VS Code extension governance deserves the same formal treatment as third-party dependency management. The Marketplace’s review controls are not designed for a threat actor as patient and coordinated as TeamPCP.
If this was useful, subscribe to the newsletter for weekly AI PM insights and GenAI case studies.
Further reading:
Related Articles
ChatGPT Lockdown Mode: OpenAI's New Defense Against Prompt Injection
OpenAI rolled out Lockdown Mode on June 6, letting users toggle off live web access, Agent Mode, and Deep Research to limit prompt injection exfiltration risks. Available to all accounts, including free tier.
GPT-5.6 Sol Launches Under Government Lock: Washington's New Frontier AI Gate
OpenAI's GPT-5.6 Sol launched June 26, restricted to ~20 government-vetted partners only. Sol Ultra scores 91.9% on Terminal-Bench 2.1, but the governance framework matters more than the benchmark.