Nx Console, GitHub, and the May 18 supply chain breach
A trojanized VS Code extension lived on the marketplace for roughly 11 minutes. GitHub disclosed exfiltration of about 3,800 internal repositories on May 19, 2026.
- vscode
- github
- supply-chain
- extensions
Supply chain risk is not limited to npm lockfiles. On May 18, 2026, a malicious build of the Nx Console VS Code extension (nrwl.angular-console v18.95.0) appeared on the Visual Studio Marketplace. By May 19, GitHub publicly disclosed that the extension compromised an employee device and led to exfiltration of roughly 3,800 GitHub-internal repositories.
Timeline (UTC)
| Date | Event |
|---|---|
| May 18, ~12:36 | Attacker publishes nrwl.angular-console v18.95.0 to VS Marketplace (StepSecurity analysis) |
| May 18, ~12:47 | Nx team removes the extension (~11 minutes later, per Nx maintainer reporting cited by StepSecurity) |
| May 19 | GitHub discloses internal repository exfiltration (StepSecurity May 20 roundup) |
| May 20 | GitHub confirms on X that a poisoned extension compromised an employee endpoint; ~3,800 repos exfiltrated, described as "directionally consistent" with their investigation (OX Security summary) |
The extension has 2.2 million+ installs historically. StepSecurity noted that actual installs of the malicious build may exceed Microsoft's initial count of 28.
How the extension worked
According to StepSecurity's technical write-up:
- The compromised v18.95.0 fetched and executed an obfuscated payload from an orphan commit in the official
nrwl/nxGitHub repository - The payload harvested GitHub tokens, npm credentials, AWS keys, Vault secrets, SSH keys, and AI tool configuration files
- On macOS, researchers documented a persistent Python backdoor using the GitHub Search API as a command channel
Nx maintainers stated in Issue #3139 that a contributor's GitHub token was scraped in a prior supply chain incident, which enabled the rogue publish using stolen VSCE_PAT credentials.
Security researchers attribute the campaign to TeamPCP, the same cluster linked to the May 11 TanStack npm compromise. StepSecurity and others reported that credentials harvested in earlier May waves were reused to push the trojanized extension.
What GitHub said happened
GitHub's public statements (summarized by PrivateDevOps and OX Security) emphasize:
- A GitHub employee updated to the malicious extension during the short marketplace window
- Attackers exfiltrated GitHub-internal repositories only; GitHub stated customer data outside those internal repos was not affected
- Critical secrets were rotated; investigation continued
TeamPCP publicly claimed responsibility and attempted to sell stolen repository data, per vendor reporting.
Why IDE extensions belong in fleet thinking
Most software composition analysis tooling watches npm and PyPI manifests. It does not inventory VS Code extensions installed on developer Macs.
Koban does not scan the VS Code Marketplace today. The lesson for security teams is structural: the developer laptop has install surfaces outside lockfiles. Extensions, MCP configs, and shell startup files are part of the same trust problem as poisoned npm packages.
After this incident, teams should:
- Audit
~/.vscode/extensionsand marketplace auto-update settings on enrolled Macs - Rotate credentials reachable from any machine that may have installed v18.95.0 during the window
- Treat IDE extensions with the same suspicion as dependencies: pin versions, delay auto-update, review publisher changes
Nx released remediated versions starting at 18.100.0. Upgrade immediately if you were on 18.95.0.