In the early hours of May 18, 2026, a malicious version of the Nx Console VS Code extension was published to the Visual Studio Marketplace. It was live for exactly 18 minutes. In that window, the credentials needed to access GitHub’s internal codebase were silently stolen from at least one developer’s machine. By May 20, GitHub’s CISO had confirmed the breach: roughly 3,800 internal repositories had been exfiltrated. OpenAI and Grafana were among the other organisations affected.

This is not a story about a sophisticated zero-day attack. It’s a story about how much trust enterprise teams place in the tools they use every day — and how quickly that trust can be weaponised.

What Actually Happened

The attack was traced back through a chain of compromises. A supply chain attack on the TanStack npm package exposed the GitHub credentials of an Nx team developer. Those credentials gave the attackers — a group known as TeamPCP — enough access to plant a malicious payload inside the official Nx repository.

When Nx Console version 18.95.0 was published, it looked and behaved normally. But on startup, it executed a hidden shell command that fetched and ran a credential harvester from that planted package. The harvester collected GitHub tokens, npm credentials, AWS access keys, HashiCorp Vault secrets, SSH keys, and more — then exfiltrated them across three channels simultaneously: standard HTTPS, the GitHub API, and DNS tunnelling.

Here’s the detail that stands out for anyone working in AI tooling: the malicious shell command was disguised as a routine MCP setup task. TeamPCP knew that developers building agentic workflows expect to see MCP initialisation scripts. The payload hid in plain sight.

The Downstream Impact

TeamPCP initially demanded $50,000 for the stolen repositories, then raised the ask to $95,000 when no payment arrived, and threatened to leak the full dataset publicly. GitHub rotated internal secrets, removed the compromised extension version from the Marketplace, and isolated the affected endpoint. The Nx team shipped a clean replacement build within hours.

GitHub has since confirmed the exfiltration was limited to internal repositories and did not affect customer data. That is meaningful, though 3,800 internal repos from one of the world’s most security-conscious organisations is still a serious breach.

Why This Matters Beyond GitHub

The 2.2 million developers who have installed Nx Console on their machines are the kind of people building AI pipelines, training workflows, and internal tooling for enterprise systems. Many of them work inside your organisation.

The Nx Console incident is part of a wider pattern. MCP supply chain vulnerabilities, the Langflow RCE, and now a poisoned VS Code extension that specifically targets the AI development toolchain — the attack surface for enterprise AI is growing faster than most security teams are accounting for.

The problem is not that developers used a popular extension. The problem is that the trust model for developer tooling has not caught up with the security requirements of AI-era work. A VS Code extension that has permission to run shell commands, read file systems, and connect to external services has an enormous footprint. Most enterprises have no visibility into what those extensions are actually doing.

What This Means for Business

If your teams are building AI agents, data pipelines, or automation workflows — and they are using VS Code — the Nx Console breach is a direct prompt to audit your developer security posture.

The immediate questions worth asking:

• Do you know which VS Code extensions your developers have installed?
• Are those extensions pinned to verified versions, or auto-updating?
• Do you have credential rotation policies in place for the cloud services your developers access locally?
• Are developers working on AI workflows using the same machines (and credentials) as they use for production access?

None of these are exotic questions. But in the rush to adopt AI development tools, many teams have skipped the security basics that would have caught this attack before it reached GitHub’s repositories.

The group behind the breach disguised their credential stealer as an MCP setup task because they knew developers building AI agents expect to see that kind of script run. That level of operational intelligence suggests they are not opportunistic. They are targeting the AI development supply chain deliberately.

Enterprises that treat AI tooling governance as an optional add-on rather than a core security requirement are building on a foundation that looks more fragile by the week.

---

Enterprise DNA helps organisations build AI strategies that account for governance and security from the ground up. If your team is scaling AI adoption and needs a structured approach to tool governance, speak with our advisory team.