GitHub lost 3,800 repositories because one developer installed a trusted extension. The version wasn’t.

The poisoned version was part of a broader supply chain campaign called Mini Shai-Hulud, attributed to the threat group TeamPCP. It began on May 11 by compromising TanStack’s npm pipeline and propagated through 170 packages and two PyPI libraries before reaching GitHub, OpenAI, Grafana Labs, and Mistral AI. Nobody picked a lock. The lock opened itself, on schedule, the way it always does.

What happened

On May 11, 2026, TeamPCP compromised TanStack’s release pipeline. TanStack is a widely used open-source library for web application development. The attacker created a fork of the TanStack router repository using a GitHub account registered in March 2026, injected a malicious payload into the build process, and used TanStack’s own CI/CD workflow to publish infected versions of 84 npm package artifacts across 42 packages.

The payload was not published by someone impersonating TanStack. It was published by TanStack’s legitimate release pipeline, after the attacker had hijacked the workflow mid-execution. The packages carried valid signatures. The provenance looked correct. Every automated check that was supposed to catch this saw a normal release.

From TanStack, the infection spread. A developer working on Nx Console, a VS Code extension used to manage Angular and React monorepos, had TanStack as a dependency. Their machine was compromised. TeamPCP used the developer’s GitHub credentials, exfiltrated through the malicious build, to push a poisoned version of Nx Console 18.95.0 to the Visual Studio Marketplace.

Nx Console has 2.2 million installs. The malicious version 18.95.0 was downloaded 28 times on Microsoft’s marketplace and 41 times on OpenVSX before it was identified and removed. Those numbers look small. The people who installed it were developers at GitHub, OpenAI, Grafana Labs, and Mistral AI. One GitHub employee installed it. That was enough.

What was taken

GitHub confirmed 3,800 internal repositories were exfiltrated. The company isolated the compromised device, removed the malicious extension, and opened an incident response. GitHub’s CISO Alexis Wales confirmed the Nx Console link on May 21. The full investigation report is pending.

OpenAI confirmed two employee devices were compromised. Credential material was exfiltrated from a limited subset of internal source code repositories those employees could access. OpenAI engaged a third-party forensics firm, revoked the affected credentials, and announced it will retire its current macOS app signing certificate on June 12, 2026, replacing it entirely.

Mistral AI confirmed its npm and PyPI SDKs were trojaned in the same campaign. TeamPCP then advertised Mistral AI source code repositories for sale on a cybercrime forum. Grafana Labs confirmed unauthorized access to its GitHub environment and the download of its codebase, with no customer data or production systems accessed.

The pipeline as attack surface

Modern software is not written from scratch. It is assembled from dependencies. A JavaScript application pulls in hundreds of packages at build time. A VS Code extension pulls in its own dependency tree. Those packages pull in theirs. At every layer, the assumption is the same: a package published through official channels by a known maintainer is safe to install.

TeamPCP has been attacking that assumption systematically since at least March 2026. Trend Micro documented at least seven confirmed waves: Trivy in March, then Checkmarx KICS, LiteLLM, Bitwarden CLI, TanStack in May, Mistral AI in May. Google Threat Intelligence Group tracks the actor as UNC6780, a financially motivated group specialising in supply chain attacks against open-source security utilities and AI middleware.

The common factor across every victim is not a misconfigured firewall or a weak password. It is a developer who installed a package or extension that had been legitimate for years and was no longer legitimate on the day they installed it. OpenAI’s post-incident statement named the problem directly: a vulnerability introduced upstream in shared dependencies and tooling “can propagate widely and quickly.” That is not a description of an edge case. It is a description of how all software is built.

What this means beyond developers

This attack hit developers at technology companies. The immediate victims are GitHub, OpenAI, Grafana, and Mistral AI. The downstream exposure is wider than that, and it does not stop at people who write code.

Journalists and NGO workers who rely on Signal Desktop depend on Signal’s build pipeline the same way GitHub’s employee depended on Nx Console’s. Lawyers using document management tools, secure email clients, or any software with a development dependency chain inherit the same attack surface. Security tools themselves, Bitwarden CLI, Trivy, Trellix, have already been targeted in this campaign.

When a security tool’s source code is accessible to an attacker, the attacker is not looking for customer records. They are looking for the gaps in the tool itself. The vulnerabilities that exist but have not been found. The configurations that create blind spots. The detection logic that can be evaded. That knowledge is worth more than any dataset, because it tells the attacker exactly where the defender is blind.

The Trellix breach of May 2026 and the TeamPCP campaign are different incidents with the same root. The tools people trust for security are themselves targets, and the code that runs them is an attack surface. This is the same lesson that turns up every time a device is the entry point rather than the network: the weakest link is almost never the encryption.

What actually stops this

The controls that stopped none of these attacks are worth understanding. Code signing did not stop it. The malicious TanStack packages carried valid signatures generated with stolen CI/CD credentials through the legitimate Sigstore stack. The signatures were real. They proved the package came from the pipeline. They did not prove the pipeline had not been hijacked.

The VS Code marketplace did not catch the poisoned Nx Console before developers at GitHub and OpenAI installed it. It was removed after the fact. Antivirus and endpoint detection did not flag the extension before credentials left the machine. The payload was obfuscated into a single 2.3 megabyte line of JavaScript.

What stops it, or at least slows it, is unglamorous: version pinning with hash verification, delayed adoption of new package versions instead of automatic updates, and a mandatory review before any dependency update reaches a developer or production environment. All of it adds friction. Friction is the point. For individuals rather than organisations the surface is narrower but the principle is identical. Auto-update is convenient. It is also the exact mechanism by which a trusted tool becomes an untrusted one overnight, with no visible change. The same discipline that protects a law firm from a breach applies here: assume the update is the delivery vehicle and slow it down.

Frequently asked questions

Was GitHub hacked in the traditional sense?

No perimeter was breached and no vulnerability in GitHub’s own infrastructure was exploited. An employee installed a poisoned version of a legitimate VS Code extension, which exfiltrated their credentials. Those credentials were then used to reach internal repositories the employee already had access to. The attack entered through the developer’s machine, not through GitHub’s systems.

Are the stolen repositories being sold?

TeamPCP advertised stolen Mistral AI repositories on cybercrime forums and stated it would leak GitHub’s repositories if no buyer materialised. GitHub has not confirmed what code the 3,800 repositories contained, or whether sensitive material was included. Treat any internal credentials or keys that may have lived in that code as compromised.

Does this affect users of GitHub, OpenAI, or Mistral products?

GitHub, OpenAI, and Grafana Labs all stated that no customer data or production systems were compromised. The confirmed theft is internal source code and developer credentials. The risk from source code exposure is longer term: an attacker who has read internal code may find vulnerabilities that are not yet public.

How do I know if my VS Code is affected?

The malicious version was Nx Console 18.95.0. If you have it installed, update it now. Microsoft removed the poisoned version from the marketplace. Review every installed VS Code extension, update any with a recent release, and check your development machine’s credential stores for tokens or API keys that may have been readable by an extension.

---

Nobody broke into GitHub. A developer installed a routine extension update and the attacker was already inside. The pipeline was the attack. The update was the delivery. The trust was the vulnerability. Those are hard problems, because fixing them means adding friction to workflows built to remove it.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.