VS Code supply chain attack hits GitHub, OpenAI, and Mistral AI

GitHub confirmed today that the breach of roughly 3,800 internal repositories traces back to a poisoned version of the Nx Console VS Code extension, itself a casualty of the TanStack npm supply chain attack. The campaign, attributed to threat actor group TeamPCP and codenamed Mini Shai-Hulud, has now claimed GitHub, OpenAI, and Mistral AI as confirmed victims, with developer credentials and internal source code the primary targets across all three.

How 18 minutes brought down GitHub, OpenAI, and Mistral AI

The attack began on May 11, 2026, when TeamPCP compromised TanStack's entire router ecosystem, spreading a worm-like payload across 170 npm packages and two PyPI packages in a single coordinated campaign. CVE-2026-45321 carries a CVSS score of 9.6. From there, the compromise reached an Nx Console developer's device, which TeamPCP used to push a malicious build of Nx Console 18.95.0 to the Visual Studio Marketplace.

The trojanized extension was live for exactly 18 minutes, between 12:30 pm and 12:48 pm UTC on May 18, 2026. That window was enough. The extension ran silently on startup, executing a shell command disguised as a routine MCP setup task that downloaded a hidden package from a planted commit on the official Nx GitHub repository. The credential stealer it deployed targeted 1Password vaults, Anthropic Claude code configurations, npm tokens, GitHub tokens, and AWS credentials on any developer machine that installed it during the window.

A GitHub employee installed the extension. TeamPCP used the harvested credentials to move through CI/CD pipelines and exfiltrate approximately 3,800 internal repositories. GitHub CISO Alexis Wales confirmed the company has "no evidence of impact to customer information stored outside of GitHub's internal repositories," though Wales acknowledged that some internal repos contain excerpts of customer support interactions and committed to notifying customers if any impact is discovered.

What was taken, and who is at risk

OpenAI confirmed two employee devices were compromised, with limited credential material exfiltrated from a subset of internal source code repositories. The company engaged a third-party digital forensics and incident response firm and is revoking its macOS app signing certificate in full on June 12, 2026. Mistral AI confirmed its npm and PyPI SDKs were trojaned as part of the same campaign, with TeamPCP advertising Mistral AI code repositories for sale on a cybercrime forum.

The common factor among all victims is developer tooling. The attack never needed to breach a perimeter. It entered through packages and extensions that developers routinely install, then harvested the credentials those developers use to access everything else. OpenAI framed the implication directly: "This incident reflects a broader shift in the threat landscape — attackers are increasingly targeting shared software dependencies and development tooling rather than any single company."

The breach lands as Microsoft is simultaneously dealing with its own unpatched vulnerability.