Executive Summary
On May 18, 2026, a highly critical supply chain attack targeted the Nx Console VS Code extension, leading to a major security breach that resulted in the exfiltration of approximately 3,800 internal GitHub repositories GitHub Security Advisory opens in a new tab. The threat actor group TeamPCP (also tracked as UNC6780) leveraged a GitHub CLI OAuth token stolen seven days earlier (via the TanStack supply-chain compromise) from an Nx contributor StepSecurity opens in a new tab. By exploiting this developer's push credentials, the attackers bypassed registry guardrails to publish a malicious version of the extension (v18.95.0) to the Visual Studio Marketplace and the Open VSX registry Nx Advisory opens in a new tab. The extension remained active for 18 minutes on the VS Code Marketplace and 36 minutes on Open VSX. When installed and loaded inside a workspace, the extension executed an obfuscated Python backdoor (cat.py) that harvested developer credentials and established persistent access, compromising developer machines globally—including a critical endpoint owned by a GitHub employee Infosecurity Magazine opens in a new tab.