Poisoned VS Code Extension Exposes GitHub, OpenAI, and Mistral AI in Major Supply Chain Attack
A malicious Visual Studio Code extension tied to the TanStack supply chain attack has reportedly compromised GitHub, OpenAI, and Mistral AI, exposing thousands of internal repositories along with sensitive developer credentials.
GitHub has confirmed that around 3,800 internal repositories were affected after attackers pushed a poisoned version of the Nx Console VS Code extension. The incident has been linked to the same broader campaign that targeted the TanStack npm ecosystem, with developer tools and software dependencies becoming the main entry point for the attackers.
The campaign, attributed to the threat group TeamPCP and referred to as Mini Shai-Hulud, highlights a growing cybersecurity concern: attackers are no longer focusing only on breaking directly into major companies. Instead, they are targeting the tools, packages, extensions, and dependencies that developers rely on every day.
The attack began on May 11, 2026, when the group compromised TanStack’s router ecosystem. The malicious payload spread across 170 npm packages and two PyPI packages in what appears to have been a coordinated software supply chain attack. The vulnerability, tracked as CVE-2026-45321, carries a severe CVSS score of 9.6.
From there, the compromise reached a developer device associated with Nx Console. Attackers then used that access to publish a malicious build of Nx Console version 18.95.0 to the Visual Studio Marketplace.
The poisoned extension was available for just 18 minutes, from 12:30 pm to 12:48 pm UTC on May 18, 2026. But that short window was enough to cause significant damage.
Once installed, the compromised extension ran quietly when VS Code started. It executed a shell command disguised as a normal setup task and downloaded a hidden package from a planted commit inside the official Nx GitHub repository. That package then deployed credential-stealing malware designed to search developer machines for valuable access tokens and secrets.
The malware reportedly targeted 1Password vaults, Anthropic Claude code configurations, npm tokens, GitHub tokens, and AWS credentials. Any developer who installed the malicious extension during that brief window may have had sensitive credentials exposed.
A GitHub employee was among those who installed the poisoned extension. Using the stolen credentials, the attackers were able to move through CI/CD environments and exfiltrate roughly 3,800 internal GitHub repositories.
GitHub’s security leadership stated that there is currently no evidence customer information stored outside internal repositories was affected. However, the company acknowledged that some internal repositories may contain excerpts from customer support interactions. GitHub said affected customers will be notified if any direct impact is discovered.
OpenAI also confirmed that two employee devices were compromised in the same campaign. According to the company, a limited amount of credential material was taken from a subset of internal source code repositories. OpenAI has brought in an external digital forensics and incident response team and is revoking its macOS app signing certificate in full on June 12, 2026, as part of its remediation efforts.
Mistral AI confirmed that its npm and PyPI SDKs were also trojanized during the campaign. Attackers later claimed to be offering Mistral AI code repositories for sale on a cybercrime forum, further underscoring the seriousness of the breach.
The most important detail across all three cases is the attack vector. This was not a traditional breach where hackers forced their way through a corporate firewall. Instead, the attackers compromised trusted development tools and dependencies, then used those tools to harvest the credentials developers use to access critical systems.
That makes this incident especially concerning for software teams, open-source maintainers, and companies that depend heavily on modern development pipelines. Developers routinely install extensions, packages, SDKs, and command-line tools to speed up their work. If any of those tools become compromised, attackers can gain a powerful foothold without triggering the same alarms as a conventional intrusion attempt.
The attack shows why software supply chain security has become one of the most urgent issues in cybersecurity. Package registries, browser extensions, IDE plugins, build systems, and CI/CD pipelines are now high-value targets. Once attackers compromise a trusted component, they can potentially reach many organizations at once.
For companies, the lesson is clear: developer environments need the same level of protection as production systems. That means stricter extension controls, dependency verification, token rotation, secret scanning, endpoint monitoring, and tighter access policies for internal repositories.
For developers, the incident is another reminder to treat extensions and packages with caution, even when they appear to come from trusted ecosystems. Short-lived malicious releases can still cause long-term damage if they capture credentials, signing keys, or cloud access tokens.
The GitHub, OpenAI, and Mistral AI breach demonstrates how quickly a supply chain attack can spread through the software world. In this case, just 18 minutes was enough to compromise developer machines, expose internal code, and force major AI and technology companies into emergency response mode.
