A sophisticated supply chain attack led to the breach of roughly 3,800 internal GitHub repositories after one of the company’s employees was tricked into installing a malicious VS Code extension. The attackers — a group called TeamPCP — published a fake version of the popular “Nx Console” extension to the Visual Studio Marketplace. The trojan was live for just 18 minutes on May 18, 2026, but that was enough: when the GitHub employee launched VS Code, the extension silently ran a hidden command that downloaded credential-stealing malware capable of raiding saved passwords from 1Password vaults, GitHub tokens, npm credentials, and AWS access keys.
GitHub has since confirmed the breach, rotated its critical secrets, and said it is monitoring for any follow-on activity. The stolen repositories reportedly include internal source code and private projects. TeamPCP has listed the data for sale online, claiming access to roughly 4,000 repositories.
How to check if you’re affected
Affected products include the VS Code Nx Console extension (nrwl.angular-console) if it was installed or updated on May 18, 2026 between 12:30 and 12:48 UTC. If you are a developer who updated VS Code extensions during that window, open VS Code, go to Extensions, search for “Nx Console,” and check its version history. If you were affected, rotate any credentials stored in 1Password, GitHub personal access tokens, npm auth tokens, and AWS keys immediately — even if you aren’t sure. Most password managers allow you to see when entries were last accessed.