Nomad Security

.

Latest

Engagements

Briefings

Threat Watch

Contact

nomadsec.io →

Your IDE is in the supply chain now: the GitHub 3,800 Repo Exfiltration Dissected

By Nomad Security

·

Dim laptop with IDE on screen with ethereal code floating from the screen into a dark-lit, modern home office

On May 20, 2026, GitHub confirmed that an attacker exfiltrated roughly 3,800 internal source repositories after compromising an employee endpoint. GitHub stated the activity involved GitHub-internal repositories only and that customer data was not impacted. The company attributed the intrusion to a poisoned Visual Studio Code extension on that employee’s machine. GitHub has not publicly named which extension.

This article separates what vendors and researchers have confirmed from what the security community has inferred by connecting parallel incidents. Where we walk through a full attack chain, we label it as a reconstruction. The goal is a credible technical picture you can use for detection engineering and policy decisions, not a breathless headline.

What is confirmed vs what is inferred

Evidence confidence tiers for GitHub and Nx Console incident claims
Figure 1. How we label claims: confirmed vendor artifacts, reported journalism, analyst campaign synthesis, and defender inference.

Confirmed (primary sources):

  • GitHub detected unauthorized access tied to an employee device and a malicious VS Code extension; GitHub disclosed exfiltration on the order of ~3,800 internal repositories (May 19-20, 2026).
  • On May 18, 2026, a malicious nrwl.angular-console (Nx Console) version 18.95.0 was published to the VS Code Marketplace, remained available for roughly 11 minutes, and was removed by the Nx team. Nx’s advisory and independent analysis (StepSecurity) document an obfuscated payload (~498 KB) fetched from a dangling orphan commit in the nrwl/nx repository when a workspace activates the extension.
  • Nx states the compromise occurred because a contributor’s GitHub token was scraped during a separate, earlier supply chain incident. Nx has not publicly identified which prior incident produced that token.
  • The malicious extension harvests developer credentials (GitHub, npm, cloud providers, password managers, Kubernetes, and others) per StepSecurity’s artifact analysis and nrwl/nx-console#3140.

Reported (journalism and threat actor claims; not all independently verified by GitHub):

  • The criminal group TeamPCP claimed responsibility for the GitHub repository theft and offered data for sale. Treat pricing and forum claims as intelligence leads, not as GitHub’s official attribution narrative.
  • Multiple outlets reported GitHub’s scope and remediation (secret rotation, investigation). Wording varies; anchor decisions to GitHub’s own statements when available.

Analyst synthesis (reputable IR research, campaign-level):

  • Vendors including Unit 42 and Wiz have published detailed timelines tying TeamPCP to earlier 2026 supply chain compromises (for example Aqua Security’s Trivy GitHub Action tags, Checkmarx-related actions, LiteLLM on PyPI, and npm-side CanisterWorm activity). These reports support a campaign story. They do not, by themselves, prove that the same malware lineage executed on GitHub’s employee laptop.
  • Google Threat Intelligence Group tracks related activity as UNC6780; Trend Micro uses SHADOW-WATER-058. Use those names when citing those vendors.

Inference (logical reconstruction for defenders):

  • If the GitHub employee had Nx Console 18.95.0 installed during the exposure window, the documented stealer behavior plausibly explains how GitHub-scoped credentials left the endpoint and how an outsider could clone repositories the employee could read. GitHub has not confirmed that linkage.
  • Bulk git clone from a new egress IP would appear in audit logs as legitimate token use with an anomalous source. That is a detection hypothesis, not a published GitHub forensic detail.

What GitHub said happened

GitHub’s public disclosure (May 2026) established the boundary of the incident: internal repository content was exfiltrated; customer repositories and customer data were outside the stated impact. The access path was an employee machine running a trojanized VS Code extension, not a compromise of GitHub’s production control plane described in the reporting we rely on here.

That framing matters for defenders. A platform breach and a developer-trust-surface breach require different controls. Here, the latter is what the evidence supports: whoever operated the malware inherited the employee’s identity surface (tokens, SSH keys, browser and keychain material the extension could touch).

TeamPCP’s claim adds criminal context but is not required to accept the technical model. Even without accepting a specific group’s branding, the mechanism (IDE extension with full user privileges) is consistent with GitHub’s description.

The Nx Console incident (documented, May 18, 2026)

The strongest public technical case for which extension might have been involved is the Nx Console compromise, documented independently of GitHub’s naming decision.

Package facts (confirmed)

  • Extension ID: nrwl.angular-console
  • Malicious version: 18.95.0
  • Distribution: VS Code Marketplace (OpenVSX was not affected per StepSecurity)
  • Install base: 2.2M+ historical installs (marketplace scale; not all received 18.95.0)
  • Exposure window: ~11 minutes on the marketplace (Nx team removal at 12:47 UTC after publish at 12:36 UTC, per StepSecurity’s timeline)

How publish rights were obtained (confirmed per Nx + StepSecurity)

Nx Console v18.95.0 publish chain on May 18 2026 UTC
Figure 2. Confirmed Nx Console compromise path: stolen token, orphan commit 558b09d7, and an 11-minute marketplace window.

Nx’s advisory (GHSA-c9j4-9m59-847w) states the incident followed scraping of a contributor’s GitHub token during a recent supply chain attack. Maintainer comments in #3139 acknowledge a team member was affected by a prior supply chain incident.

StepSecurity’s reconstruction (May 18, 2026) adds technical detail with repository artifacts:

  1. Stolen token with push access to nrwl/nx and access to marketplace publishing credentials (VSCE_PAT).
  2. Orphan commit 558b09d7 pushed at 03:18 UTC on May 18: zero parents, not reachable from any branch, fetchable only if you know the SHA. The commit message attempted social engineering (“Don’t delete this commit before 24 hours or wiper activates”). The commit tree replaced the monorepo with a minimal package pulling bun to host a Bun-based payload.
  3. Marketplace publish of v18.95.0 at 12:36 UTC using stolen VSCE_PAT, with malicious code injected into minified main.js.

Important nuance: StepSecurity explicitly notes the specific prior attack that scraped the contributor token has not been publicly identified. Articles that state “Trivy caused the GitHub breach” as a single causal sentence overstate the evidence. Trivy-KICS-LiteLLM sequences appear in parallel TeamPCP campaign reporting (Wiz, Unit 42). Nx confirms a prior incident, not which one.

What the payload did on the endpoint (confirmed per StepSecurity / #3140)

Nx Console malicious payload stages on the developer endpoint
Figure 3. Confirmed on-endpoint behavior documented by StepSecurity and community analysis.

On workspace activation, the extension triggered fetch and execution of the obfuscated payload (StepSecurity documents stages including anti-analysis gates, daemonization, credential harvesting, multi-channel exfiltration, Sigstore-related forgery capabilities, and macOS persistence). Documented harvest categories include:

  • GitHub: gh CLI config, git credentials, environment tokens, VS Code-stored auth
  • Package registries: npm tokens
  • Cloud: AWS, Azure, GCP credential stores
  • Clusters: kubeconfig and service account material
  • Secrets managers: HashiCorp Vault, 1Password, Bitwarden (attempted)
  • SSH keys and agent access
  • AI tooling: Claude Code configuration under ~/.claude/settings.json (noted by StepSecurity as a notable target class)

Exfiltration channels described in open analysis include HTTPS, use of stolen GitHub API access, and DNS tunneling. Filesystem indicators published in community and vendor IOC lists include paths such as ~/.local/share/pgmon/service.py and user systemd units masquerading as database monitoring services. Treat host IOCs as version-dependent; validate against the hash list in StepSecurity’s post and the community repository ugurrates/teampcp-supply-chain-attack.

TeamPCP in context (campaign facts with citations)

TeamPCP (also referenced as PCPcat, ShellForce, CipherForce, and associated with CanisterWorm tooling) emerged in public reporting in late 2025 and accelerated through early 2026. Independent vendors have tied the cluster to multiple supply chain events. The table below summarizes reported milestones. Dates and scope follow vendor publications; they are not GitHub’s incident timeline.

Reported TeamPCP supply chain campaign timeline
Figure 5. Reported TeamPCP campaign milestones (Unit 42, Wiz, vendors) — parallel context, not GitHub’s timeline.

Capabilities attributed to the broader campaign in vendor research include credential theft at scale, supply chain republishing, and (in some samples) destructive wiper behavior gated on locale. CanisterWorm-related reporting describes Internet Computer Protocol (ICP) canisters used for command and control in some samples. That is relevant to campaign detection (blocking ICP egress on developer workstations) even before you accept every sample as identical to the Nx payload.

Nomad Security treats TeamPCP as a serious supply-chain and developer-endpoint threat. We do not claim independent confirmation of every underground statistic (for example aggregate “500,000 credentials” figures circulating in summaries). Use those numbers only with vendor attribution and confidence labels.

Reconstructed chain: from workspace open to repository exfiltration (inference)

The following sequence is a plausible reconstruction for security architecture and detection discussions. It is consistent with GitHub’s description (employee device, malicious extension) and with published Nx payload behavior. GitHub has not published step-by-step forensics matching each bullet.

  1. Trigger: Developer opens a VS Code workspace. Extensions configured for activation on startup or workspace open run without an additional click.
  2. Loader: If nrwl.angular-console 18.95.0 is present, it pulls and executes the payload associated with orphan commit 558b09d7 (documented by StepSecurity).
  3. Collection: The stealer reads OS-accessible secret material, including GitHub session artifacts and SSH keys (documented harvest classes).
  4. Operator use: An attacker uses stolen GitHub credentials from their own infrastructure. Reporting on criminal claims sometimes mentions VPN or VPS egress; treat specific providers as intelligence unless your IR vendor publishes them with evidence tied to GitHub’s case.
  5. Enumeration: Valid tokens allow API calls to list organizations and repositories visible to the compromised identity.
  6. Exfiltration: Bulk clone or archive of repositories the identity can read. GitHub’s ~3,800 figure is the disclosed scale.
  7. Aftermath: Data appears in criminal marketing channels; GitHub rotates secrets and investigates.
Reconstructed exfiltration chain from VS Code to repository theft
Figure 4. Plausible reconstruction if Nx 18.95.0 was on the affected machine — not GitHub step-by-step forensics.

Why this pattern is plausible even when GitHub stays vague: Long-lived personal access tokens and cached gh sessions survive on disk. Many enterprises do not require step-up authentication or device-bound session enforcement for Git operations. A high-privilege engineering account is a high-privilege backup system for an attacker.

Why the VS Code extension model is the real vulnerability class

Whether or not Nx Console was the extension on GitHub’s laptop, the architectural issue is general:

  • No capability manifest: Extensions are not sandboxed like browser tabs with per-site permissions. They operate as the user.
  • Activation is automatic: Opening a repository can execute dozens of extensions.
  • Marketplace trust is identity, not behavior: Verified publisher status answers “who published,” not “what will this version do.”
  • Silent updates: Auto-update can replace a trusted version quickly (Nx’s malicious window was short; the mechanism still matters).
  • Secret accumulation: Modern engineering laptops aggregate cloud, registry, cluster, and AI assistant credentials in places the IDE can reach.

That is why Nomad Security argues engineering endpoints should be treated as Tier-0 assets, comparable to jump hosts and CI runners with secret access.

Detection engineering (evidence-based hunts)

Prioritize hunts tied to confirmed artifacts first, then campaign IOCs.

Endpoint (Linux/macOS)

StepSecurity and community IOC repositories publish paths and hashes. Example hunt patterns (adjust for your EDR):

# Illustrative patterns from public IOC writeups; validate hashes in source posts
find / \( -name pgmon.service -o -path '*/pgmon/*' -o -name rope.pyz \) 2>/dev/null
systemctl --user list-units 2>/dev/null | grep -E 'pgmon|sysmon'
ls -lt ~/.vscode/extensions/ | head -20

Extension inventory

Compare installed extension IDs and versions against known malicious releases (nrwl.angular-console@18.95.0 is the confirmed malicious Nx build). Enterprise allowlists via policy (extensions.allowed) are the structural fix.

GitHub audit logs (hypothesis for exfiltration phase)

If the reconstruction holds, look for:

  • High-volume git.clone / repo download patterns from a single identity
  • New OAuth app or PAT creation shortly after workstation compromise indicators
  • Geographic or ASN anomalies relative to the user’s baseline (requires baseline first)

Network

Campaign IOC domains and ICP-related indicators appear in vendor and community lists (for example domains reported in Checkmarx and LiteLLM incident writeups, and *.ic0.app / *.icp0.io in CanisterWorm reporting). Block and alert based on your threat intel feeds; do not treat this article as a live IOC feed.

What we’d do this week

  1. Inventory VS Code / Cursor / JetBrains extensions on every engineering endpoint. Flag nrwl.angular-console 18.95.0 immediately; review any install during the May 18, 2026 UTC exposure window.
  2. Rotate credentials reachable from affected machines: GitHub PATs, npm/PyPI tokens, cloud keys, CI secrets, SSH keys. Nx and StepSecurity advise assume compromise if 18.95.0 was present.
  3. Review GitHub audit logs for the past 30 days for bulk internal repo access from unusual egress.
  4. Separate facts from campaign noise in executive briefings: GitHub confirmed internal repo exfiltration via a poisoned extension on an employee device; Nx 18.95.0 is the leading technical candidate; TeamPCP campaign reporting explains why you should harden extension policy now.
  5. Move toward fine-grained, short-lived tokens and device-bound SSO for code platforms so stolen laptop material cannot be replayed from arbitrary IPs.

The editor has been part of the attack surface for years. GitHub’s May 2026 disclosure makes that risk operational for leadership, not theoretical for practitioners.

Primary sources used in this analysis:

Nomad Security

From the editors

Need help applying this to your environment?

Nomad Security helps engineering and security teams find and fix the issues attackers actually exploit. Penetration testing, vCISO advisory, secure code review, and threat research, sized to mid-market budgets.

Talk to us →

View services

Continue reading

More from the blog