TeamPCP breach is bigger than reported. GitHub, OpenAI, Grafana, and Mistral AI all hit by the same 18-minute VS Code extension attack. - what do you reckon

[DodgyCoder]

The full picture of the TeamPCP supply chain attack has now emerged and it is significantly worse than the initial GitHub disclosure suggested. The root cause is a poisoned build of Nx Console version 18.95.0, published to the Visual Studio Marketplace on May 18 for exactly 18 minutes between 12:30 and 12:48pm UTC. In those 18 minutes the malicious extension was installed on enough developer machines to compromise GitHub, OpenAI, Grafana Labs, and Mistral AI.

The attack chain: TeamPCP compromised TanStack's npm ecosystem on May 11, spreading a payload across 170 npm packages and two PyPI packages. That gave them access to an Nx developer's GitHub token, which they used to push a malicious orphan commit to the official nrwl/nx repository and publish the poisoned extension. The extension behaved identically to legitimate Nx Console but silently downloaded and executed a credential stealer disguised as an MCP setup task. Targets included 1Password vaults, Claude Code configurations, npm tokens, GitHub credentials, and AWS access keys.

OpenAI confirmed two employee devices compromised with credential material exfiltrated from internal source code. Mistral AI confirmed its npm and PyPI SDKs were trojaned. The extension has CVE-2026-48027 with a CVSS score of 9.6. Nx Console v18.100.0 and later are clean. If you are running anything between v18.95.0 and v18.99.x rotate every credential you have.

VS Code supply chain attack hits GitHub, OpenAI, and Mistral AI

https://www.notebookcheck.net/VS-Code-supply-chain-attack-hits-GitHub-OpenAI-and-Mistral-AI.1302154.0.html

[QuantumDay]

18 minutes on the marketplace and they hit GitHub, OpenAI, Grafana, and Mistral AI simultaneously. The trust in verified publisher badges is the attack surface and it is enormous

[Maxximus]

The credential targets list is the most alarming part. 1Password vaults, Claude Code configs, AWS keys, npm tokens. They were not stealing code. They were stealing access to everything the developer touches

[Danny_21]

The MCP setup task disguise is the sophisticated detail. Developers see a routine-looking command and do not question it because it looks like something their toolchain does anyway

[Candle]

TeamPCP's seven confirmed attack waves since March 2026 is the pattern that should be getting more attention. Trivy in March, then five more tools, now this. They are systematically working through the security and developer toolchain

[error.404]

CVE-2026-48027 with CVSS 9.6 and it was on the official marketplace through the official publisher's account. The security controls on VS Code Marketplace are clearly not adequate for the threat model

[GoldbergFan]

OpenAI revoking its entire macOS app signing certificate on June 12 as a result is the nuclear response. When a breach response includes revoking a signing cert the scope is serious

[Coder22]

The Nx team's fix of requiring two admin approvals for future releases is the right response but it is closing the door after the horse has bolted for this incident

[Tel86]

Any organisation running Nx, TanStack, Grafana tooling, or Mistral AI SDKs should be treating their CI/CD credential stores as fully compromised right now regardless of whether they were directly affected

[Grover26]

The attack model requiring minutes not days is the sentence security teams need to internalise. Detection and response cycles designed for hour-long attack windows are structurally inadequate