bleepingcomputer.com via Reddit

GitHub confirms 3,800-repo breach via VS Code supply chain

github cybersecurity mistral openai microsoft supply-chain-attack github-breach credential-theft

Key insights

  • A trojanized VS Code extension active for only 18 minutes on May 18 was enough to breach 3,800 GitHub internal repositories.
  • TeamPCP harvested credentials from 1Password vaults, Claude Code configs, AWS keys, and npm tokens across multiple named AI firms.
  • GitHub officially named Mistral AI, OpenAI, UiPath, Guardrails AI, and OpenSearch as confirmed victims of the same supply-chain campaign.

Why this matters

The VS Code Marketplace's lack of real-time integrity controls allowed a malicious extension to reach thousands of developer machines inside the industry's most security-conscious organizations in under 20 minutes, exposing a structural gap that no individual company's internal security posture can compensate for. The breadth of credential types stolen, spanning cloud keys, AI API tokens, password manager vaults, and CI/CD tokens simultaneously, means affected organizations face cascading exposure across infrastructure, models, and pipelines, not a single contained breach. For AI founders and technical leaders, the inclusion of Claude Code configs and AI-platform tokens as explicit harvest targets signals that AI tooling credentials are now a first-class objective for sophisticated threat actors, warranting the same secret-rotation urgency as AWS root keys.

Summary

GitHub officially confirmed on May 21 that a trojanized VS Code extension, live on the Marketplace for just 18 minutes on May 18, was enough to breach 3,800 of its internal repositories. The threat group behind it, TeamPCP, weaponized the TanStack and Nx Console extensions to harvest credentials at scale across the software industry. The harvested data is extensive: 1Password vault contents, Claude Code configs, npm tokens, GitHub tokens, and AWS keys were all pulled from affected developer machines. GitHub's attribution statement names Mistral AI, OpenAI, UiPath, Guardrails AI, and OpenSearch as confirmed additional victims of the same campaign. Essentially: (GitHub, OpenAI, Mistral AI) were all compromised through a single poisoned developer tool that was live for under 20 minutes. - The extension was available on the official VS Code Marketplace, meaning no user error was required to get infected. - Credential types stolen span cloud infrastructure, AI API access, and password manager vaults simultaneously. - The 18-minute window suggests automated, pre-positioned deployment designed to maximize spread before detection. The incident makes clear that the VS Code extension ecosystem is now a primary attack surface for targeting AI and software infrastructure at the organizational level.

Potential risks and opportunities

Risks

  • OpenAI and Mistral AI face exposure of model weights, training pipeline configs, or proprietary API infrastructure if harvested AWS keys and GitHub tokens have not been fully rotated and audited within 72 hours of the May 21 disclosure.
  • Organizations using 1Password at the enterprise level may have had cross-system credential sets exfiltrated, meaning secondary breaches at unannounced victim companies could surface over the next 30 to 60 days as TeamPCP monetizes or weaponizes the vault contents.
  • The Nx Console and TanStack communities, with millions of combined downloads, face reputational and legal exposure if downstream enterprise customers assert they were not notified promptly, particularly in EU jurisdictions under NIS2 obligations.

Opportunities

  • Extension security and signing vendors such as Chainguard and Socket are positioned to convert the 18-minute window failure into a concrete sales argument for publisher-identity verification and real-time extension integrity scanning at the Marketplace level.
  • Secret scanning and rotation platforms such as GitGuardian and Doppler can move quickly to offer affected organizations automated post-breach token audit tooling, given the specific credential types named in GitHub's attribution statement.
  • Enterprise browser and developer environment isolation vendors such as Browsec and Talon Cyber Security gain a strong case study for sandboxing IDE extension execution, a control that would have limited the credential-harvesting blast radius regardless of Marketplace detection speed.

What we don't know yet

  • Whether the harvested credentials, particularly AWS keys and AI API tokens, have been actively used or monetized since May 18, and which organizations have confirmed unauthorized access beyond the initial repository breach.
  • How the TanStack and Nx Console extension accounts were compromised to enable the trojanized publish, and whether TeamPCP had prior persistent access to those publisher accounts.
  • Whether the VS Code Marketplace has implemented any retroactive controls or extended the 18-minute detection window that allowed this deployment, and what Microsoft's public timeline for an audit looks like.

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: GitHub Officially Attributes 3,800-Repo Internal Breach to TanStack/Nx Console Supply-Chain Attack — Mistral AI, OpenAI Among Named Victims