An 18-Minute Window: Poisoned Nx Console Extension Breaches 3,800 GitHub Internal Repos

On May 18, 2026, between 12:30 and 12:48 UTC, an attacker group tracked as TeamPCP published a malicious build of the Nx Console extension to the Visual Studio Marketplace. The package was nrwl.angular-console version 18.95.0, and it was live for roughly 18 minutes before takedown. That short window was enough to reach approximately 6,000 developers, because VS Code installs extension updates silently in the background. No click, no prompt, no review (StepSecurity, BleepingComputer).

The compromised extension behaved normally on the surface. On startup it quietly fetched and executed an obfuscated credential stealer hosted in a hidden commit inside the official nrwl/nx GitHub repository. Pulling the payload from the legitimate vendor repo is what made it slippery: the traffic looked like ordinary developer tooling reaching a trusted source. The stealer swept the host for GitHub tokens, npm tokens, AWS credentials, 1Password vault contents, AI coding assistant configuration files, and SSH keys, then exfiltrated them over HTTPS, the GitHub API, and DNS tunneling.

One of the infected machines belonged to a GitHub employee. With that foothold, TeamPCP reached roughly 3,800 GitHub internal source code repositories. OpenAI and Grafana Labs have also confirmed impact, and the stolen repository data was later listed for sale on a criminal forum. The flaw carries the identifier CVE-2026-48027. Investigators reported that the developer credentials used to publish the poisoned build were harvested in an earlier npm supply chain compromise, the Mini Shai-Hulud campaign that hit TanStack packages, a reminder that one stolen token becomes the entry point for the next breach (The Hacker News, Aikido).

Why this class of risk slips past your program

Developer tooling is a trust boundary that most vulnerability programs never scan. Your SBOM covers application dependencies. Your scanner covers hosts and images. Neither one inventories the extensions running inside every engineer's editor, and those extensions execute with the full privileges of the developer, including read access to every secret on the machine.

Three things made this incident hard to catch:

• Silent updates. VS Code applies extension updates in the background by default, so the malicious build landed without any human in the loop.
• Trusted hosting. The payload lived in a hidden commit inside the real vendor repository, so egress filtering and reputation checks saw a legitimate destination.
• Speed. An 18-minute lifespan beats manual marketplace review and most detection cadences. By the time a human looked, the extension was gone and the tokens were already moving.

The blast radius is the real story. A single developer laptop is a key ring. GitHub, npm, AWS, and password manager sessions all sit within reach of code that runs at editor startup. Once those tokens leave the building, the incident stops being about one extension and becomes a credential incident across every system those tokens touch. That cascade is exactly why one compromised GitHub employee device turned into thousands of exposed internal repositories.

Prioritizing with TRIS

Raw CVSS struggles with an event like this. A marketplace extension compromise does not map cleanly to a single product version score, and waiting for a tidy number wastes the hours that matter most. CVEasy AI scores it with TRIS, our multi-layer Threat and Risk Intelligence Scoring, which weighs the three signals that actually decide urgency:

• Active exploitation. This was live, in the wild, and confirmed by multiple vendors, so it ranks at the top regardless of any CVSS base value.
• Blast radius. Credential theft from a developer endpoint propagates outward to source control, package registries, and cloud accounts, so TRIS treats it as high impact rather than a single host issue.
• Real exposure. TRIS narrows the alert to the assets that actually ran nrwl.angular-console v18.95.0 with auto-update enabled during the May 18 window, instead of flooding every team with a generic advisory.

The result is a ranked, defensible answer to the only question that matters in the first hour: who here is exposed, and what do they rotate first.

Remediation steps

1. Confirm the Nx Console extension is on version 18.100.0 or later, and update immediately if it is not.
2. Rotate GitHub personal access tokens, npm tokens, and AWS credentials for any developer who had VS Code running on May 18, 2026.
3. Audit 1Password vault access logs for unexpected activity around that date.
4. Review GitHub organization audit logs for unexpected repository clones, forks, or API calls.
5. Inspect VS Code extension settings and any MCP server or assistant configuration files for unauthorized modifications.
6. Treat every secret reachable from an affected machine as compromised until it has been rotated.

How CVEasy AI surfaces this

When a supply chain event like this breaks, CVEasy AI ingests the indicators and the CVE the moment they land, then ranks the exposure with TRIS against your actual inventory, all on your own hardware. As the number one local-first CTEM platform, CVEasy AI never ships your asset data, your token inventory, or your incident details to a third party, which matters even more when the incident in question is credential theft from developer machines. The platform answers the practitioner question first: of everything disclosed today, which of my assets are genuinely exposed, and in what order do I fix them. For a confirmed, in the wild credential stealer with this blast radius, that order is clear, and CVEasy AI puts it at the top of the queue with the rotation checklist attached.

References

• The Hacker News: GitHub internal repositories breached via malicious VS Code extension
• BleepingComputer: GitHub confirms breach of 3,800 repos via malicious VS Code extension
• StepSecurity: Nx Console VS Code extension compromised
• Aikido: GitHub breached via VS Code extension
• The Hacker News: Compromised Nx Console 18.95.0 targeted developers