Skip to content
Tech News
← Back to articles

GitHub links repo breach to TanStack npm supply-chain attack

2026-05-21 | original
read original get TanStack Query Book → more articles
Why This Matters

The breach highlights the growing threat of supply chain attacks targeting developer tools and repositories, emphasizing the need for enhanced security measures in the software development ecosystem. It underscores the importance for organizations and developers to remain vigilant against compromised extensions and stolen credentials that can lead to widespread access and data breaches.

Key Takeaways

GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack.

This attack is attributed to the TeamPCP threat group and began with the compromise of dozens of TanStack and Mistral AI npm packages, then quickly extended to other projects (including UiPath, Guardrails AI, and OpenSearch) using stolen CI/CD credentials.

TeamPCP was linked to other major supply chain attacks targeting developer code platforms, including PyPI, NPM, GitHub, and Docker, and, more recently, to the "Mini Shai-Hulud" supply chain campaign (which also affected two OpenAI employees).

GitHub revealed the breach on Tuesday, saying it was investigating claims of unauthorized access to its internal repositories and telling BleepingComputer that the incident resulted from an employee installing a malicious Visual Studio Code (VS Code) extension, without disclosing the extension's name.

In a blog published Wednesday evening, GitHub CISO Alexis Wales said the breach involved a malicious version of Nx Console, the official Visual Studio Code marketplace extension for Nx, that allows developers to manage large repos and multi-project codebases without relying entirely on complex Terminal CLI commands.

Wakes added that GitHub has since secured the compromised device and has yet to find evidence that customer data stored outside the affected repos has been stolen.

"We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first," Wales said. "We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants."

While GitHub has yet to attribute the attack to a specific hacking group or threat actor, the TeamPCP cybercrime gang claimed access to GitHub source code and "~4,000 repos of private code" on the Breached forum on Tuesday, and is now asking for at least $50,000 for the stolen data.

TeamPCP GitHub breach claims (Matthew Maynard)

​This comes after the Nx devs revealed on Monday that they were jointly investigating the impact of the attack with GitHub and Microsoft, after a malicious version of Nx Console 18.95.0 was available on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for another 36 minutes.

... continue reading

Explore topics: github tanstack npm nx console teampcp
Related:
GitHub's take on age assurance for developers
GitHub Confirms Breach, 4K Internal Repos Stolen
GitHub's Internal Repos Breached Via Employee's Use of Malicious VS Code Extension
Linus Torvalds admits he has a 'love-hate relationship with AI'
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK

© 2026 GoKawiil

About | Editorial Policy | Contact