Microsoft’s GitHub confirmed last month that a threat group named TeamPCP had stolen approximately 3,800 of its internal source code repositories after an employee’s device was compromised through a poisoned Visual Studio Code extension.
What Happened
On May 18, 2026, a compromised version of the Nx Console Visual Studio Code extension was published to the official marketplace. The malicious version, live for approximately 11 to 18 minutes, was installed by thousands of users and enabled attackers to exfiltrate credentials and internal source code repositories from affected organizations.
The trojanized version was Nx Console version 18.95.0. It was live on the Visual Studio Marketplace between 12:30 p.m. and 12:48 p.m. UTC on May 18, 2026. According to The Hacker News, that short window was enough for the attackers to distribute a credential stealer capable of harvesting sensitive data from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services accounts.
GitHub confirmed the breach via posts on X, with an assessment that the activity involved exfiltration of GitHub-internal repositories only, and that the attacker’s claimed figure of roughly 3,800 repositories was directionally consistent with their investigation. The company also said there was no evidence that customer information stored outside of GitHub’s internal repositories was affected.
Shortly after the breach was confirmed, a threat actor appeared on underground forums claiming responsibility and offering the stolen data for sale, reportedly demanding between $50,000 and $95,000, and threatening to leak the data publicly if no buyer emerged.
Who Is Behind It
Since March 2026, a cybercrime group tracked by Google Threat Intelligence as UNC6780 and publicly known as TeamPCP has executed a cascading series of supply chain compromises across npm, PyPI, GitHub Actions, Docker Hub, and the VS Code Marketplace.
Palo Alto Networks Unit 42 has also tracked more than 500 poisoned packages across 20 documented attack waves from the group.
TeamPCP’s confirmed campaign history runs from March through May 2026, hitting Trivy’s GitHub Actions on March 19, the Checkmarx KICS tool on March 23, the LiteLLM PyPI library on the same day, the Telnyx Python SDK on March 27, and the Bitwarden CLI in April, before the VS Code Marketplace compromise in May.
Why This Attack Class Is So Difficult to Stop
TeamPCP’s method involves compromising one trusted employee tool, stealing CI/CD credentials from its runner memory, and using those credentials to poison additional packages in a self-replicating loop. Developers hold privileged access across cloud platforms, internal systems, and deployment pipelines, which means a single compromised endpoint can move laterally in ways a direct network intrusion rarely can.
npm has since responded by introducing staged publishing in version 11.15.0, which requires a human two-factor authentication approval before any package goes live, directly blocking the stolen CI/CD token vector TeamPCP used across its 2026 attack waves. GitHub has said it isolated the compromised device and rotated high-impact credentials. The investigation is ongoing.
The GitHub breach is the sharpest example yet of how thoroughly this threat group has mapped and exploited the modern development environment. The tools developers rely on most are now the ones attackers are targeting first.
