18 Minutes Live: A Poisoned Nx Console Extension Breached Roughly 3,800 GitHub Internal Repos

An attacker does not need a zero day in your perimeter when your developers will install the payload for you. On May 18, 2026, a threat actor tracked as TeamPCP published a malicious build of the Nx Console extension to the Visual Studio Marketplace. The package, nrwl.angular-console version 18.95.0, was live for roughly 18 minutes, between 12:30 and 12:48 UTC. That was long enough. VS Code silent background updates pushed the build to an estimated 6,000 machines before it was pulled, according to reporting from StepSecurity and The Hacker News.

The blast radius did not stay inside those endpoints. One of the compromised machines belonged to a GitHub employee. That single foothold gave TeamPCP access to approximately 3,800 GitHub internal source code repositories, with OpenAI and Grafana Labs also confirming impact. The vulnerability is tracked as CVE-2026-48027. The breach was confirmed by BleepingComputer and The Hacker News.

How the payload moved

The initial access was itself the product of a prior supply-chain compromise. TeamPCP obtained the Nx developer credentials through the earlier Mini Shai-Hulud campaign that poisoned TanStack packages on npm. With publishing rights in hand, the actor shipped version 18.95.0 of the extension, as detailed by Aikido.

The malicious extension did not carry its payload inside the marketplace package. On startup it fetched an obfuscated credential stealer from a hidden commit inside the official nrwl/nx GitHub repository, then executed it. Hosting the second stage in a legitimate, trusted repository is the detail that defeats most naive allowlists. The traffic looked like a developer tool talking to its own project on GitHub.

Once running, the stealer swept the developer environment for anything of value: GitHub tokens, npm tokens, AWS credentials, 1Password vault contents, Anthropic Claude Code configurations, and SSH keys. Exfiltration ran over three channels: HTTPS, the GitHub API, and DNS tunneling. The clean releases before 18.95.0 are unaffected, and the issue is fixed in version 18.100.0 and later.

The detection and response gap

This incident punishes the assumptions baked into most blue-team programs.

• IDE extensions are unmanaged code execution. A VS Code extension runs with the full privileges of the developer. Most organizations have no inventory of installed extensions, no version pinning, and no alerting when a silent background update changes the code running on engineering laptops.
• Trusted destinations hide second stages. The payload was pulled from github.com and exfiltrated partly through the GitHub API. Egress filtering that allows GitHub by default, which is to say almost every developer network, saw nothing unusual.
• DNS is still an open door. DNS tunneling carried part of the theft. Teams that do not inspect or baseline DNS query volume and entropy missed a primary exfiltration channel.
• The window was minutes, not days. An 18 minute exposure defeats any control that depends on human review, periodic scanning, or weekly patch cycles. Detection has to be continuous and automated or it is not detection at all.

Mapping the behavior to MITRE ATT&CK

Translating the kill chain into ATT&CK gives blue teams concrete detections to build and validate:

• T1195.002 Compromise Software Supply Chain and T1195.001 Compromise Software Dependencies and Development Tools: the poisoned extension and the upstream npm credential theft.
• T1059 Command and Scripting Interpreter: the obfuscated second stage executing on extension startup.
• T1552.001 Unsecured Credentials in Files and T1528 Steal Application Access Token: harvesting tokens, SSH keys, and vault contents.
• T1071.001 Web Protocols and T1071.004 DNS: exfiltration over HTTPS, the GitHub API, and DNS tunneling.

Operationalizing a response

If you ran VS Code with Nx Console on May 18, 2026, treat every secret reachable from those machines as compromised until proven otherwise. A practical sequence:

1. Confirm Nx Console is on version 18.100.0 or later across the fleet and block 18.95.0 outright.
2. Rotate GitHub personal access tokens, npm tokens, and AWS credentials for any developer who had VS Code open during the window.
3. Audit GitHub organization logs for unexpected repository clones, forks, and API calls, and review 1Password access logs around the date.
4. Inspect VS Code extension settings and any MCP server configuration files for unexpected modifications.
5. Hunt for DNS tunneling indicators: high query volume to unfamiliar domains and abnormal subdomain entropy.

How BlueTeamAutomation closes the loop

Manual rotation and log spelunking after the fact is the slow path. BlueTeamAutomation runs the full blue-team workflow against this class of supply-chain threat continuously, on hardware you control.

• BAS validation. BASzy emulates the exact behaviors above, a second stage fetch from a trusted repository, credential file access, and DNS plus HTTPS exfiltration, so you know before an incident whether your controls fire.
• EDR. On-device detection flags an IDE extension spawning an interpreter and reading credential stores and SSH keys, the local signal that beats network allowlists.
• SIEM correlation. Endpoint process events, GitHub audit logs, and DNS telemetry correlate into a single timeline so a credential stealer becomes one alert, not three disconnected ones.
• SOAR response. Automated playbooks isolate the host, revoke and rotate exposed tokens, and open the incident the moment the pattern matches, inside the minutes that matter.
• Compliance evidence. Every detection, validation run, and response action is captured as audit ready evidence for SOC 2, ISO 27001, and your incident response obligations.

The lesson from CVE-2026-48027 is blunt. Your software supply chain now includes every extension on every developer laptop, and the exposure window can be measured in minutes. Continuous validation and automated response are the only controls that operate on that timescale.