3,800 Repos, One Poisoned Extension: GitHub Breached
Table of contents
What Happened
On May 19, 2026, GitHub confirmed that a threat actor gained unauthorized access to approximately 3,800 internal repositories. The attacker was TeamPCP, the same group behind the Mini Shai-Hulud supply chain worm that compromised 170+ npm and PyPI packages eight days earlier.
The entry point: the poisoned Nx Console VS Code extension (v18.95.0) that was live on the VS Code Marketplace for roughly 11 minutes on May 18. A GitHub employee installed it. That was enough.
This is the full teardown of how GitHub itself became the target, what was exposed, and what it means for the millions of developers who depend on GitHub's infrastructure.
The Chain of Events
To understand how this happened, you need to trace the chain back to the beginning.
May 11: TeamPCP launches Mini Shai-Hulud. The self-propagating worm compromises 170+ npm and PyPI packages including TanStack, Mistral AI, UiPath, and Guardrails AI. It steals GitHub tokens, npm credentials, AWS keys, and everything else it can find. One of the tokens it harvests belongs to a contributor on the Nx Console project.
May 18: TeamPCP uses that stolen token to push a malicious version of the Nx Console VS Code extension (nrwl.angular-console v18.95.0) to the VS Code Marketplace. The extension has over 2.2 million installations. The poisoned version is live for approximately 11 minutes before the Nx team detects and pulls it.
During those 11 minutes, the extension auto-updates on machines that have it installed. One of those machines belongs to a GitHub employee.
May 19: GitHub detects unauthorized access to internal repositories. Investigation reveals that stolen credentials from the Nx Console payload were used to authenticate against GitHub's internal systems. The attacker accessed approximately 3,800 repositories.
May 20: Listings appear on BreachForums. TeamPCP offers the repository data for sale at $50,000 minimum. LAPSUS$, the threat group known for breaching Microsoft, NVIDIA, and Samsung in 2022, surfaces alongside TeamPCP with a joint listing at $95,000.
What Was Accessed
The 3,800 repositories span GitHub's core infrastructure and products. Based on the BreachForums listings and independent verification by security researchers, the exposed repositories include source code and internal tooling for:
GitHub Actions - The CI/CD platform used by millions of repositories. Internal runner code, orchestration logic, and OIDC token handling.
GitHub Copilot - Internal components of the AI coding assistant. Model integration code, prompt engineering infrastructure, and telemetry systems.
CodeQL - GitHub's code analysis engine. Internal rule sets, vulnerability detection logic, and security scanning infrastructure.
GitHub Codespaces - Cloud development environment internals. Container orchestration, workspace management, and authentication flows.
Dependabot - Automated dependency update system. Internal logic for vulnerability detection, PR generation, and package ecosystem integration.
GitHub Security Tools - Internal security scanning, secret detection, and incident response tooling.
Some repositories also contained excerpts from support tickets, internal documentation, and configuration files with references to internal service endpoints.
How the Nx Console Payload Worked
The Nx Console payload was not a simple credential stealer. It was a multi-stage attack tool designed for persistence and stealth.
When a developer opened any workspace in VS Code with the compromised extension installed, the payload activated within seconds. It fetched a 498 KB obfuscated script hidden inside an orphan commit in the official nrwl/nx GitHub repository. This meant the payload was hosted on legitimate infrastructure, making it harder to detect.
The payload harvested credentials from multiple sources: GitHub Personal Access Tokens, npm tokens, AWS IAM keys, Azure and GCP credentials, HashiCorp Vault tokens, Kubernetes service account tokens, 1Password service account tokens, and SSH keys.
Exfiltration happened over three independent channels simultaneously: HTTPS to attacker-controlled servers, the GitHub API (using stolen tokens to write data to repositories the attacker controlled), and DNS tunneling. If one channel was blocked, the other two still worked.
On macOS, the payload installed a persistent Python backdoor that used the GitHub Search API as a dead-drop command-and-control channel. Commands were signed with a 4096-bit RSA key to prevent hijacking by other attackers.
The payload also specifically targeted Claude Code configuration files at ~/.claude/settings.json, looking for API keys, custom endpoints, and proxy configurations. AI coding assistants are now explicitly on the target list.
The LAPSUS$ Connection
The appearance of LAPSUS$ alongside TeamPCP is significant. LAPSUS$ gained notoriety in 2022 for breaching Microsoft (37GB of source code including Bing and Cortana), NVIDIA (1TB of proprietary data), Samsung (190GB of source code), Okta, T-Mobile, and Uber.
Several members were arrested and convicted in 2023 and 2024, but the group was never fully dismantled. Their reappearance in a joint listing with TeamPCP suggests either a partnership, a shared membership pipeline, or that TeamPCP sold or shared access.
The joint listing at $95,000 is notably low for source code from one of the largest development platforms in the world. This suggests the goal may be disruption and reputation damage rather than pure financial gain, or that the data has already been sold privately and the public listing is secondary.
GitHub's Response
GitHub detected the breach on May 19 and initiated incident response the same day. Their public statement confirmed:
- Unauthorized access to internal repositories was detected and contained
- Critical secrets and credentials were rotated immediately
- The investigation is ongoing with external forensic support
- No evidence of customer data exposure at this time
The "no customer data" qualifier comes with caveats. Some internal repositories contained support ticket excerpts and internal documentation that referenced customer-facing systems. The full scope of what was in those 3,800 repositories is still being assessed.
GitHub also confirmed they are working with law enforcement and coordinating with Microsoft's security team on the investigation.
The durabletask Campaign
While the GitHub breach dominated headlines, TeamPCP was not finished. On May 19, the same day the breach was detected, a compromised version of the durabletask package appeared on PyPI.
durabletask is part of Microsoft's Azure SDK ecosystem, used for orchestrating long-running workflows in Azure Functions and Azure Durable Functions. The malicious version contained a credential stealer with the same signature as the Mini Shai-Hulud payload.
Security researchers have labeled this "Wave Four" of the TeamPCP campaign:
- Wave One (May 11): Mini Shai-Hulud worm hits npm and PyPI
- Wave Two (May 18): Nx Console VS Code extension hijacked
- Wave Three (May 19): GitHub internal repos breached
- Wave Four (May 19): durabletask on PyPI compromised
Each wave used credentials stolen in the previous wave. The chain is unbroken from the initial worm to the breach of one of the largest development platforms on earth.
What This Means
This breach is not just about GitHub losing source code. It is about the fragility of the entire software supply chain.
A single self-propagating worm, launched on May 11, led to the breach of GitHub itself by May 19. Eight days from initial compromise to accessing 3,800 internal repositories at one of the most security-conscious companies in the industry.
The attack chain: stolen token from a package maintainer, used to poison a VS Code extension, which compromised a GitHub employee's machine, which gave access to internal systems. Four hops. Eight days. 3,800 repositories.
Every link in that chain is a dependency that most organizations trust implicitly. Package registries. Editor extensions. Employee workstations. Internal access controls.
The Copilot source code exposure is particularly concerning. With access to internal model integration code and prompt engineering infrastructure, attackers could potentially identify ways to manipulate AI-generated code suggestions at scale. This has not been confirmed, but the theoretical attack surface is significant.
How to Assess Your Exposure
If you use GitHub (and you almost certainly do), here is what to check.
Check for the Nx Console Payload
If you had Nx Console installed and it auto-updated around May 18:
# Check VS Code extension version history
ls -la ~/.vscode/extensions/nrwl.angular-console-*
# Look for the persistent backdoor on macOS
launchctl list | grep -i nx
find ~/Library/LaunchAgents -name '*nx*' -o -name '*nrwl*' 2>/dev/null
# Check for modified files newer than the package.json
find ~/.vscode/extensions/nrwl.angular-console-* -name '*.js' -newer ~/.vscode/extensions/nrwl.angular-console-*/package.json 2>/dev/nullCheck Claude Code Configuration
cat ~/.claude/settings.json | grep -i 'proxy\|endpoint\|url\|token'If you see entries you did not add, assume compromise.
Check for durabletask Compromise
pip show durabletaskIf you are running a version published on May 19, update immediately and rotate all credentials in that environment.
Rotate GitHub Tokens
Even if you were not directly affected by the Nx Console payload, the breach of GitHub's internal systems means you should rotate any long-lived tokens:
# List your GitHub PATs
gh auth status
# Revoke and regenerate tokens
# Go to GitHub > Settings > Developer settings > Personal access tokensPay particular attention to tokens with write access to repositories, packages, or GitHub Actions workflows.
Review GitHub Actions Workflows
With Actions source code exposed, review your workflows for any hardcoded secrets or tokens that could be extracted if an attacker understands the internal execution model:
# Search for potential secret exposure in workflows
grep -r 'secrets\.' .github/workflows/
grep -r 'GITHUB_TOKEN' .github/workflows/Pin all third-party actions to commit SHAs, not tags:
# Do this
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
# Not this
uses: actions/checkout@v4Monitor for Downstream Effects
The exposed repositories include Dependabot and CodeQL internals. If attackers understand how these tools work internally, they could potentially:
- Craft dependency updates that bypass Dependabot's security checks
- Write code that evades CodeQL's vulnerability detection rules
- Manipulate Copilot suggestions through understanding of the prompt pipeline
These are theoretical risks, but they are worth monitoring. Watch GitHub's security advisories closely over the coming weeks.
The Pattern Continues
May 11: 170 packages compromised. May 18: VS Code Marketplace hijacked. May 19: GitHub breached. May 19: durabletask on PyPI poisoned.
One threat actor. One initial worm. Four waves of attacks in nine days. Each wave built on credentials stolen in the previous wave.
The supply chain is not a series of isolated incidents anymore. It is a continuous, compounding attack surface where every compromise enables the next one. And the target is no longer just your production servers or your CI/CD pipelines. It is the platforms you build on.
GitHub hosts over 100 million developers and more than 420 million repositories. When the platform itself gets breached, every assumption about the security of that ecosystem needs to be re-examined.
3,800 repositories. Copilot. Actions. CodeQL. Dependabot. All exposed because one developer installed an auto-updated VS Code extension during an 11-minute window.
Rotate your tokens. Pin your actions. Check your extensions. The chain does not stop here.