Eighteen minutes. That’s how long a poisoned version of Nx Console — one of the most popular VS Code extensions for monorepo development — sat on the Visual Studio Marketplace before Microsoft yanked it. Eighteen minutes, between 12:30 p.m. and 12:48 p.m. UTC on May 18, 2026. And in that window, a cybercrime group called TeamPCP compromised a GitHub employee’s machine, harvested credentials through DNS tunneling, and exfiltrated approximately 3,800 internal GitHub repositories.
Not public repos. Not forks. GitHub’s own internal codebase. The code that runs the platform 100 million developers depend on every day.
Then they tried to sell it for $95,000.
The Attack Chain Is More Terrifying Than the Breach Itself
Here’s what makes this breach different from the usual “company got hacked” headline: the attackers didn’t target GitHub directly. They didn’t need to. They exploited the trust chain that every modern developer workflow is built on.
It started with TanStack, a widely-used open-source library ecosystem. TeamPCP — also tracked as UNC6780 — compromised TanStack’s supply chain first. That breach gave them access to credentials belonging to an Nx developer whose system was connected to TanStack’s infrastructure. With those stolen credentials, they pushed a malicious orphan commit to the official nrwl/nx GitHub repository and published version 18.95.0 of Nx Console to the VS Code Marketplace.
The payload was a 498 KB obfuscated credential stealer hidden inside what looked like a routine extension update. Within seconds of a developer opening any workspace, it silently fetched and executed the payload, harvesting secrets and exfiltrating them via three channels simultaneously: HTTPS, the GitHub API, and DNS tunneling. It was, in the words of one security researcher, a “multi-stage credential stealer and supply chain poisoning tool” — designed not just to steal, but to spread.
GitHub Wasn’t the Only Victim — OpenAI and Mistral AI Got Hit Too
The TanStack compromise that enabled this attack had a blast radius far beyond GitHub. OpenAI, Mistral AI, and Grafana Labs were all impacted by the same upstream supply chain breach. The specifics of what was accessed at each company haven’t been fully disclosed, but the pattern is clear: TeamPCP isn’t going after one target. They’re going after the infrastructure that every AI and developer tooling company depends on.
This is the group’s signature move. Before this, TeamPCP had already compromised Aqua’s Trivy security scanner, CheckMarx’s KICS, the LiteLLM library, and the Telnyx SDK. They specialize in poisoning the open-source security utilities and AI middleware that companies install without a second thought. They don’t break down the front door — they become part of the furniture.
The $95,000 Fire Sale That Tells You Everything
After the breach, TeamPCP initially demanded “at least $50,000” for the stolen data. When that apparently didn’t produce results, they partnered with the Lapsus$ threat group — the same crew that previously breached Nvidia, Samsung, Microsoft, and Uber — to sell the entire haul for $95,000.
Ninety-five thousand dollars for 3,800 internal repositories from the platform that hosts the world’s code.
That price should alarm you. Not because it’s high — because it’s absurdly low. It suggests one of two things: either the attackers are still relatively unsophisticated in their monetization (despite being deeply sophisticated in their attack craft), or the data has already been copied to buyers who paid a premium before the public listing. Neither possibility is comforting.
Every Developer’s Machine Is Now an Attack Surface
The uncomfortable truth this breach exposes is that the VS Code extension marketplace has become one of the largest unguarded attack surfaces in software. There are over 60,000 extensions on the marketplace. Most developers install a dozen or more without reviewing the source code. Auto-updates mean a trusted extension can become a weapon between one commit and the next.
Microsoft’s vetting process caught this particular compromise in 18 minutes — which sounds fast until you consider that thousands of developers installed the update in that window. And the payload was designed to execute instantly, before anyone could notice anything wrong.
GitHub’s response was textbook: they removed the malicious extension version, isolated the compromised endpoint, and began incident response immediately. Their assessment is that the exfiltration was limited to GitHub-internal repositories and didn’t affect customer data or the platform’s integrity. But the precedent is set. If GitHub — Microsoft’s own subsidiary, presumably running best-in-class security — can be breached through a VS Code extension, every company whose developers use VS Code is exposed to the same attack vector.
The Supply Chain Problem Nobody Wants to Fix
This is the third major supply chain attack in 2026 alone, following the XZ Utils backdoor aftermath and the PyPI typosquatting campaigns that targeted AI/ML packages in February. The pattern is always the same: attackers find a single point of trust in the open-source ecosystem, poison it, and watch the compromise cascade downstream through dependency chains that nobody fully maps.
The industry’s response has been predictably inadequate. Software Bills of Materials (SBOMs) are still optional for most organizations. Extension marketplaces still rely primarily on community reporting rather than proactive security scanning. And the open-source maintainers whose code forms the foundation of trillion-dollar companies are still, in many cases, unpaid volunteers working from personal laptops with no security budget.
TeamPCP didn’t discover a new vulnerability. They exploited the oldest one in software: the gap between how much we trust our tools and how little we verify them.
The Verdict
Eighteen minutes. 3,800 repositories. A $95,000 asking price. And a cascading supply chain compromise that also hit OpenAI, Mistral AI, and Grafana Labs. The GitHub breach isn’t just a cybersecurity incident — it’s a proof of concept that the entire developer toolchain is one compromised maintainer away from a catastrophic failure. The question isn’t whether this attack vector will be used again. It’s whether anyone will fix the trust model before it is.