On May 20, 2026, GitHub confirmed1 that a poisoned VS Code extension compromised an employee endpoint and exfiltrated approximately 3,800 internal repositories. The threat actor, tracked as TeamPCP (UNC6780), listed the stolen data for sale above $50,0001. No customer data was confirmed as affected at disclosure. The incident is not an isolated extension compromise. It is one node in a 90-day supply-chain campaign that cascaded through Trivy, LiteLLM, TanStack, and Mistral AI before reaching GitHub itself.
The 11-minute window
The strongest candidate for the malicious extension is nrwl.angular-console (Nx Console) version 18.95.0, published to the VS Code Marketplace at 12
main.js and the extension was live for approximately 11 minutes before detection. GitHub has not formally confirmed the extension name; the Nx Console attribution comes from StepSecurity and Wiz Research analysis.
Nx Console claims roughly 2.2 million installations2. The payload fetched a multi-stage loader from a dangling orphan commit hidden inside the legitimate nrwl/nx repository, a technique that makes the malicious code invisible in normal commit history review. Once executed, it harvested GitHub tokens, npm credentials, AWS IAM keys, 1Password vault contents, and Anthropic Claude Code configurations, exfiltrating the data via HTTPS, GitHub API, and DNS tunneling. On macOS, Superframeworks reports3 it installed a Python backdoor using GitHub Search API as a dead-drop resolver.
What the Marketplace actually verifies
The VS Code Marketplace has roughly 60,000 publishers3. Of those, approximately 1,800 are verified3. Publisher verification is optional. Extension signing is optional. There is no mandatory code review before publication, and no sandbox isolating extension code from the developer’s environment.
The trust model is essentially decorative. A “verified” publisher badge confirms identity via domain ownership or similar lightweight checks. It does not attest to the contents of any specific extension version. Install counts and star ratings signal popularity, not safety. An extension can ship benign code for months, accumulate trust, then push a single malicious update that auto-installs for every user who hasn’t disabled updates.
Researchers have documented5 Marketplace flaws including extension impersonation, typosquatting, and auto-update abuse affecting over 100 organizations. Wiz Research previously found 100+ valid VS Code Marketplace PATs and 30+ OpenVSX access tokens2 leaked inside extension packages, covering an install base of roughly 85,000 users. A single leaked PAT grants push access to every extension that publisher owns. The credential hygiene problem and the publisher verification problem compound: steal one token, poison every extension under that account, auto-update delivers the payload.
The 90-day cascade
TeamPCP’s campaign followed a cascading compromise pattern3 over roughly 90 days:
| Date | Target | Notes |
|---|---|---|
| Before March 24, 2026 | Trivy | Container security scanner; date approximate6 |
| March 24, 2026 | LiteLLM | ~95M downloads/month6 |
| May 11, 2026 | TanStack | 84 malicious versions across 42 packages7 |
| May 2026 | Mistral AI | Date unconfirmed; details limited |
| May 18-20, 2026 | Nx Console / GitHub | ~3,800 internal repos exfiltrated |
TeamPCP hit all five targets within roughly 90 days3. Whether each compromise directly enabled the next is unclear from available reporting; TanStack’s postmortem states that no npm tokens were stolen in their incident7. What is clear is that developer tools are high-value targets precisely because they sit at the intersection of many downstream consumers, each of which is itself a potential stepping stone.
The pattern is structurally identical to the SolarWinds and XZ Utils compromises: trusted tooling, delayed payload, cascading blast radius. The difference is cadence. TeamPCP moved through five targets in under three months, compressing what previous campaigns took years to execute.
No sandbox, no permission boundary
VS Code extensions run with editor-level privileges. That means full filesystem access, full network access, and full process spawning. There is no permission model. An extension that provides syntax highlighting for a niche language has the same runtime privileges as one that manages your deployment pipeline.
Microsoft has longstanding open feature requests for an extension permission model3. None have been implemented. The extension host provides no mechanism to restrict what an extension can access at runtime. Security is entirely pre-publication: Microsoft can scan packages at upload time, but as the Nx Console incident shows, malicious code can be fetched dynamically from external infrastructure after installation.
The practical consequence is that every VS Code extension you install is a full-trust binary running in your development environment, with access to every credential your editor can see: Git tokens, cloud provider credentials, secret manager integrations, SSH keys. The Marketplace’s trust signals do not change this runtime reality.
What VS Code already offers that most teams ignore
VS Code version 1.96 and later supports enterprise extension management8 through the extensions.allowed setting, which can restrict installations by publisher, extension ID, version, and platform. GitHub Enterprise customers can host a private marketplace for self-vetted extensions. Neither control appears to have seen wide adoption before this breach.
These controls exist. They are documented. They are not enabled by default, and VS Code’s onboarding flow does not prompt teams to configure them. The default posture is permissive: any extension from any publisher can be installed and auto-updated without restriction. For a developer tool that routinely handles production credentials, this is a design choice worth questioning.
What to do now
The immediate mitigations are straightforward, operationally painful, and non-optional for any team whose developers touch production-adjacent systems:
- Inventory every installed extension. Audit across the organization, not just CI. Developer laptops are the target surface.
- Enable
extensions.allowedwith an explicit allowlist. Default-deny. Every extension not on the list is blocked. - Disable auto-update (
extensions.autoUpdate: false). Extensions should update only after a human has reviewed the changelog and, where feasible, the diff. - Rotate credentials that were accessible to VS Code during the exposure window. This includes GitHub tokens, npm tokens, AWS keys, and any secrets stored in 1Password or similar vaults that had integrations active in the editor.
- Review extension publisher trust. Verify that installed extensions are published by the actual project maintainers, not third-party accounts with similar names. Typosquatting and brand impersonation are documented attack vectors5.
The longer-term fix is a permission model for VS Code extensions. Until Microsoft ships one, the Marketplace trust model remains what it is: a publisher verification system that does not verify extension contents, running code with no runtime restrictions, auto-updating by default. The Nx Console breach did not exploit a novel vulnerability. It exploited the gap between what developers assume the Marketplace verifies and what it actually verifies.
Frequently Asked Questions
Does this risk extend to Cursor, Windsurf, and other VS Code-based editors?
Yes. Any editor built on VS Code’s extension host inherits the same Marketplace trust model and full-trust execution. The Superframeworks analysis specifically identifies Cursor setups as a likely next attack surface. Koi Security independently catalogued 1,283 confirmed malicious VS Code extensions with a combined 229 million installations—those are reachable from every VS Code-compatible editor, not just Microsoft’s.
How does the Marketplace’s publisher verification compare to npm or PyPI?
npm adopted provenance attestations and Sigstore-based signing in 2023, linking every published package to a specific source commit and CI build. PyPI added trusted publishers via OpenID Connect. The VS Code Marketplace has no equivalent: only ~3% of its ~60,000 publishers are verified, the check confirms domain ownership rather than build provenance, and there is no requirement to sign extension artifacts or attest to their build pipeline.
Can extensions.allowed stop a compromised legitimate publisher from pushing a malicious version?
Not by itself. The setting restricts which extensions can be installed, but unless you pin exact versions—most teams don’t—an already-allowed extension can still auto-update to a poisoned release. If a publisher’s PAT is stolen (Wiz found 100+ leaked PATs before this incident), the attacker pushes a malicious version of the trusted extension. Effective use requires coupling the allowlist with extensions.autoUpdate: false and pinning version hashes, which triples the operational overhead of every extension change.
Why did the dangling orphan commit evade GitHub’s own repository scanning?
Git orphan commits are reachable only by their SHA—they do not appear on any branch or tag, so standard tools like git log, git blame, and repository browsing never surface them. The Nx Console payload fetched its loader from an orphan commit inside the legitimate nrwl/nx repo, meaning the malicious code never existed in any file visible through normal code review. Standard repository scanners that index branch-tip commits would not detect it, effectively turning any public repo into undetectable command-and-control infrastructure.
What specific Microsoft issues track the extension permission model request?
The two longest-standing feature requests are GitHub issues #52116 and #187386, both requesting scoped permissions for VS Code extensions (e.g., network-only, filesystem-read-only, no process spawning). Neither has been implemented despite years of community discussion. Until one ships, every extension—regardless of how trivial its advertised functionality—retains editor-level privileges equivalent to a full-trust desktop application.
Footnotes
-
GitHub Hacked - Internal Source Code Repositories Compromised via Employee Device ↩ ↩2
-
GitHub Internal Repository Breach via Poisoned VS Code Extension ↩ ↩2 ↩3
-
3,800 GitHub Repos Stolen by One VS Code Extension ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
Security Flaws in Microsoft VSCode Marketplace Impact over 100 Organizations ↩ ↩2
-
TeamPCP Isn’t Done: Threat Actor Behind Trivy and KICS Compromises Now Hits LiteLLM ↩ ↩2