The Nx Console 18.95.0 incident shows how a single poisoned extension can turn a developer’s machine into an entry point for something much bigger.
TL;DR: A compromised build of the popular Nx Console VS Code extension (version 18.95.0) was published to the Marketplace on May 18, 2026. The threat group TeamPCP has since claimed full responsibility for the operation, framing the breach as a demonstration of the inherent vulnerabilities in the modern developer supply chain. While GitHub worked to contain the fallout, TeamPCP published snippets of the exfiltrated file trees to verify their access.
GitHub disclosed today (may 20) on X that the poisoned Nx Console extension compromised an employee’s device, leading to unauthorized access to GitHub’s own internal repositories. GitHub stated they detected and contained the incident, isolated the endpoint, and began immediate response.
Their assessment: the attacker exfiltrated GitHub-internal repositories- with claims of roughly 3,800 repos that GitHub said were “directionally consistent” with their investigation. Critical secrets were rotated overnight, with the highest-impact credentials prioritized first.
In short, a single trojan VS Code extension – did not just steal individual developer tokens. It reached GitHub’s internal infrastructure, turning what looked like a supply-chain attack on Nx users into a direct breach of GitHub itself.
Immediate Actions
- Rotate your keys and enable 2FA on your accounts.
- Remove the malicious extension that may have been installed on workstations.
- Treat the machine – along with any connected tokens, environment variables, and API keys – as compromised.
What is Nx Console?
Nx Console (nrwl.angular-console) is the official VS Code UI for the Nx monorepo toolchain. In a normal build it is meant to:
- Detect and open Nx workspaces (nx.json, etc.)
- Run Nx generators and tasks from the editor
- Provide graph views, project details, and Nx Cloud integration
- Help set up MCP (Model Context Protocol) so AI tools in the editor get Nx workspace context – e.g. via npx nx mcp on supported versions
It activates when the editor is ready (onStartupFinished) and is allowed to run shell commands because building and running Nx often shells out to npm / npx / nx.
What the compromised 18.95.0 build was actually intended to do
The malicious 18.95.0 build keeps the real Nx Console surface (~7.7 MB main.js) but adds one goal on top:
On every startup, silently run npx against a fixed git commit on nrwl/nx and install/run a hidden package (nx-next) whose real job is credential theft – including GitHub tokens.
The VSIX itself is only the trigger. It does not embed the stealer, and does not call the GitHub API. It disguises the action as “install-mcp-extension” so it looks like normal Nx MCP setup.
The trojan extension runs:
What happens after that npx line?
The extension does not control what runs next – it only launched the command. But we can trace what npx does from the decrypted analyst copy of the same commit tree.
What npm finds at that SHA is not the real Nx source. It is a minimal package called nx-next:
The bun dependency installs the Bun runtime. There is no preinstall or postinstall – execution happens through the bin field when npx runs the package.
The dropper
Running in the background, the stealer goes after developer secrets broadly: GitHub personal access tokens, npm authentication from .npmrc, AWS credentials from IMDS and environment variables, HashiCorp Vault tokens, Kubernetes service account secrets, 1Password CLI sessions, SSH private keys, cloud provider configs, and AI tool credentials such as Claude Code configuration files. It collects everything it can reach from disk, environment variables, and even process memory on Linux.
The stolen data is sent out through multiple independent channels – encrypted HTTPS to a remote server, the GitHub API using the victim’s own stolen tokens, and DNS tunneling as a backup – so blocking any single channel does not stop exfiltration.
The extension looked and behaved like normal Nx Console, but on startup it silently ran a single shell command that downloaded and executed a hidden package from a planted commit on the official nrwl/nx GitHub repository. The command was disguised as a routine MCP setup task so it would not raise suspicion.
That downloaded package was the real payload – a credential stealer that ran in the background, harvesting GitHub tokens, npm credentials, AWS keys, Vault secrets, SSH keys, and more. Stolen data was exfiltrated through multiple channels including HTTPS, the GitHub API, and DNS tunneling. On macOS it installed a persistent backdoor that used the GitHub Search API as a command channel.
The extension itself was just the trigger. It did not contain the stealer and did not directly call any APIs. Its only job was to launch npx and get out of the way.
