Poisoned Pipeline

Eighteen minutes. That's how long it took to breach GitHub.

Not eighteen minutes to plan it. Not eighteen minutes to find a flaw in GitHub's code, defeat their authentication, or outwit their security team.

Eighteen minutes was the window between a malicious extension going live on the VS Code Marketplace and the community pulling it, time enough for auto-update to do what it was designed to do, on a tool 2.2 million developers had installed and stopped thinking about.

One developer at GitHub had Nx Console running. Nothing unusual about that. Verified publisher with 2.2 million installs. The kind of tool you add once and forget.

What they didn't know, what they had no way to know, is that on May 11, TeamPCP had already moved through the supply chain upstream, harvested the right credentials, and was waiting for exactly this moment.

The Stack Nobody Checked named this surface on April 30. Paranoid By Default documented the threat model on May 18, the same morning the extension went live.

Neither piece changed what happened next.

If the ecosystem had the warning and the attacker had the methodology, what exactly did the warning change?

This is not a GitHub story. GitHub is where it got loud.

It started on May 11, when TeamPCP detonated inside TanStack's npm ecosystem, 84 malicious versions across 42 packages, a self-replicating payload with a CVSS score of 9.6 and a dead-man's switch built in.

Among the developers whose machines were swept in that harvest: One engineer at Nx, the company behind Nx Console. Their GitHub credentials leaked through the CLI. Quietly, completely, with no alert, no notification, and no moment where anything felt wrong.

Those credentials carried two things that mattered. Push access to the official nrwl/nx repository. And the VS Code Marketplace publishing token, the key that lets you ship updates to every machine running your extension, automatically, without review.

TeamPCP waited seven days.

On May 18 at 3:18 UTC, an orphan commit appeared on the official Nx repository. Not on a branch. Not anywhere a routine audit would surface it. A dangling reference, invisible in normal history views, containing a 498 KB obfuscated payload hidden inside a file with a name that looked like it belonged there.

Then, at 12:36 UTC, Nx Console 18.95.0 went live on the VS Code Marketplace. The Nx maintainer received the upload notification email six minutes later. The community caught it at 12:47 and pulled it.

11 minutes of exposure on the marketplace. Thirty-six more on OpenVSX before that copy came down too.

Inside that window, the extension executed the moment any developer opened any workspace. A command, disguised as a routine MCP setup task, the kind that wouldn't raise an eyebrow, reached back to the orphan commit and pulled down the payload.

Six credential collectors fired in parallel: 1Password vaults, AWS access keys, npm tokens, GitHub tokens, Kubernetes secrets, and Anthropic Claude Code configurations.

On macOS, it went further, dropping a persistent Python backdoor as a LaunchAgent that checked in hourly for new commands via GitHub-based dead drops.

A GitHub employee device had the extension running. 28 installs by Microsoft's official count, a figure Nx's own analytics put closer to 6,000.

Here is what makes that number genuinely terrifying: Nothing in this chain was broken. The TanStack pipeline was legitimate. The Nx developer's credentials were real. The Nx release infrastructure ran exactly as designed. The extension carried a verified publisher badge.

The payload arrived with valid cryptographic provenance, stolen npm OIDC tokens meant the attacker could have signed downstream packages with fully valid Sigstore attestations, making malicious builds indistinguishable from clean ones.

The verification systems didn't fail. They were used.

If every security signal in the pipeline said clean, and the pipeline was already compromised, what exactly were those signals measuring?

The Weapon

Auto-update didn't fail here.

It worked perfectly. That's the problem.

The design logic is sound and always has been: Developers don't manually update their tools, so ship updates automatically and keep the ecosystem current and patched.

Every marketplace runs on this assumption. VS Code, Cursor, the whole stack.

Nobody questioned it because, for a long time, the worst-case scenario was a buggy release - something you'd notice, something you'd roll back.

The possibility that a publisher's credentials could be stolen upstream, that the update itself could be the payload, wasn't part of the threat model the architecture was built for.

When the publisher is compromised, auto-update stops being a maintenance feature.

It becomes a guaranteed delivery channel, no review gate between publish and execution, no waiting period, no user confirmation, no sandbox.

The check fires on startup, on any marketplace interaction, and again on a 12-hour background timer, so the user never sees the trigger and never opts into it.

Raphael Silva at Aikido Security put it plainly: The trade-off stops making sense once you account for hostile publishers. An attacker who controls a release has a direct push channel into every machine running that extension. The moment they publish, the machines pull.

That's not a vulnerability. It's the feature, inverted.

As far back as October 2025, Wiz Research had identified over 100 valid VS Code Marketplace publishing tokens leaked inside extension packages, each one a master key waiting to be picked up.

Nobody scanning those packages for malware would flag a token. It's not malware.

It's a credential. The distinction matters less than it used to.

The "verified publisher" badge on Nx Console told users something real: Domain ownership confirmed, six months in good standing, no prior incidents.

What it didn't tell them, what it was never designed to tell them, is whether the publisher's credentials had been stolen. Whether the update that fired on startup when they opened their project this morning was the same codebase they installed three months ago. Whether the tool doing the building had itself been built by someone else.

Users never see a changelog. Never approve the update. Have no way to inspect what changed before it executes.

The malicious version was caught in approximately 11 minutes, by a StepSecurity researcher monitoring the marketplace, not by Microsoft, not by the marketplace infrastructure.

11 minutes was faster than the detection infrastructure. The official download count was still enough.

When the community is the last line of defense, and the community moves faster than the platform, what does that say about every extension you installed before anyone was watching?

The Record

This is not a story about prediction. Prediction implies luck.

The Stack Nobody Checked, published April 30th. It named the VS Code extension ecosystem specifically, an unaudited attack surface sitting between developer tooling and everything connected to it, operating with no visibility, no logging standard, no governance model that matched the access being granted.

It named the gap between what organizations were connecting and what they were checking. Eighteen days before the breach, the structural argument was already in print.

Paranoid By Default, published May 18th, the same morning Nx Console 18.95.0 went live on the marketplace.

Not the day before. Not the week before. The same day, within hours of each other.

Neither piece is the story. The story is what sits between them: 18 days in which the industry had a named surface, a documented risk, and a clear argument for why the architecture of trust in developer tooling had outrun any corresponding architecture of verification, and changed nothing.

Jeff Cross, CEO of Nx, said it plainly in the aftermath: "A lot of the assumptions the ecosystem has operated under for years no longer hold."

That is a careful, measured statement from someone whose pipeline was used to deliver the weapon. What it describes, without naming it, is an ecosystem that built velocity into every layer and auditing into none.

The warnings predate the breach by more than eighteen days.

The Stack Nobody Checked was built on source material that had been circulating for months, researchers naming the surface, documenting the exposure, publishing the risk.

The April 30 timestamp is not a credential.

It is evidence of a pattern: By the time a warning reaches print, the attack surface it describes has already been documented, circulated, and ignored.

TeamPCP exploited an eleven-minute window. The industry had been warned for months.

When the gap between the warning and the action is measured in months, and the gap between the attack and the damage is measured in minutes, which gap is the industry actually trying to close?

The Ladder

GitHub is not where it ends. It is not even where it paused.

TeamPCP is not an incident. It is a business.

Each compromise produces credentials. Each set of credentials funds the next target. Each new target sits higher on the trust chain than the one before - more widely used, more deeply integrated, more catastrophic to lose.

The GitHub breach is not a peak. It is a rung, and the climbing continued the same day the breach went public.

The ladder has been climbing since September 2025.

In March, when Aqua Security’s Trivy vulnerability scanner was compromised, every CI/CD pipeline running Trivy briefly became a credential-harvesting engine for the duration of the compromise.

LiteLLM on PyPI the same month pushed a compromised version to tens of thousands of devices, effectively turning them into credential-stealing endpoints.

In April, the Bitwarden CLI NPM package was compromised to steal developer credentials directly from developer machines.

In May, TanStack followed the same pattern, with a supply-chain attack compromising a widely used library to exfiltrate secrets.

Each time, the same mechanics: Find a trusted tool, compromise a human inside its pipeline, use their credentials to poison the output, and wait for the downstream machines to pull.

Mandiant counts more than 1,000 SaaS environments compromised from TeamPCP credentials across this campaign alone.

Most of those organizations never touched TanStack. They ran something that ran something that did.

On May 19, TeamPCP detonated inside Alibaba's AntV data visualization ecosystem.

637 malicious versions across 323 packages, published in a 22-minute automated burst. The packages collectively represent approximately 16 million weekly downloads.

That same day, three backdoored versions of durabletask - Microsoft's official Azure Python SDK - were pushed to PyPI within a 35-minute window, silently harvesting AWS, Azure, GCP, and Kubernetes credentials from every environment that pulled them.

Three days later, an attacker with push access to the Laravel-Lang organization rewrote 700+ git tags across four Composer packages, injecting an RCE backdoor that fires on every PHP application boot. No CVE assigned. Version pinning offered zero protection.

TeamPCP posted their retirement notice on May 19.

The attack log from the same 24 hours tells a different story.

Then the methodology escaped the original actor entirely.

On May 12, TeamPCP published the full Shai-Hulud offensive framework to GitHub under an MIT license, which allows just about any re-use of code.

They also included deployment instructions, a README reading "Open Sourcing The Carnage. Change keys and C2 as needed. Love - TeamPCP," every commit timestamped January 1, 2099 as a taunt at forensic timelines.

GitHub pulled the repo. The forks were already live.

Within days, OX Security documented the first confirmed copycat.

A BreachForums post launched a $1,000 Monero contest for anyone who wanted to run their own variant.

The proof arrived on May 18, the same morning Nx Console 18.95.0 went live, when a campaign called Megalodon pushed 5,718 malicious commits to 5,561 distinct GitHub repositories inside a six-hour window.

A campaign running on the same fuel: Infostealer-harvested developer credentials, automated commit injection, GitHub Actions workflows designed to exfiltrate cloud secrets from every subsequent pipeline run.

Hudson Rock confirmed that more than a third of the affected accounts were direct matches to computers already compromised by infostealers.

The credential pipeline TeamPCP spent nine months building had become infrastructure anyone could use.

Zero CVEs exist across the entire nine-week campaign. Traditional scanners have no record of any of it.

Every organization that checked their vulnerability feed and called it clean was looking at a dashboard that had nothing to say about any of this.

When the attacker's exit strategy is to open-source their weapon on the way out — who exactly inherits the campaign?

The Math

One employee device impacted 3,800 repositories.

Sit with that ratio for a moment. Not a sophisticated phishing campaign targeting hundreds of developers across multiple organizations.

One poisoned extension, auto-updated silently to every developer who opened their editor during the window.

28 downloads by Microsoft's count, a figure Nx's own analytics put closer to 6,000, and the yield was the internal codebase of the platform that hosts 180 million developers, 4 million organizations, and 90% of the Fortune 100.

What those 3,800 repositories contained is not a list of abstractions: GitHub Actions internals, Copilot source code, CodeQL tools, Codespaces infrastructure, Dependabot, a repository explicitly labelled Red Team, security hardening research, and Enterprise Server release infrastructure.

The Rails controllers governing how every pull request and every organization on the platform actually functions.

LAPSUS$ joined the listing.

The joint asking price: $95,000.

TeamPCP's own forum post read like someone wrapping up a career: Not a ransom, one buyer, data shredded on sale, "our retirement is soon."

The campaign kept running for days.

GitHub is one victim inside a much larger campaign.

AntV adds 16 million weekly downloads to the exposure surface.

Durabletask adds 417,000 monthly downloads and the credential surface of every Azure workflow that pulled it.

Megalodon adds 5,561 repositories backdoored in six hours, running on infostealer-harvested developer credentials.

OpenAI's compromised repositories exposed code-signing certificates for its macOS products, mandatory update deadline June 12, or your ChatGPT stops launching.

Grafana Labs rotated nearly every token after TanStack, missed one, and had their codebase exfiltrated anyway.

One token. One gap in a rotation process executed under pressure. That's the margin the operating environment now allows.

GitHub sits at the structural center of how software gets built.

Not metaphorically, literally.

The source code behind the tools those 180 million developers use to write, review, deploy, and secure their code was among what was just exfiltrated.

GitHub Actions, Copilot, CodeQL, and the security tooling used to find vulnerabilities in other people's code.

All of it now in the hands of a group that has already demonstrated exactly what it does with trusted infrastructure.

Run the math in the other direction. TeamPCP needed one compromised developer, one publishing token, eleven minutes of exposure, and seven days of patience after TanStack.

Against that: Eight months of campaign escalation, 2.2 million extension installs, and the entire weight of GitHub's internal security posture.

6k installs was the surface area. 3,800 repositories was the consequence.

The campaign that produced both is still running.

At what point does the industry stop doing the math on individual breaches and start doing it on the ecosystem?

Nobody is taking this seriously enough because taking it seriously would require admitting how much of the foundation is already exposed.

Pinning extension versions, scoping CI/CD credentials, auditing dependency graphs, restricting publishing tokens, none of these are unsolved problems.

They were all possible before May 11, before the TanStack compromise handed TeamPCP the credentials that started this cascade.

They were all possible months before April 30, when researchers had already named the surface.

The reason they weren't in place isn't ignorance of the risk. It's that velocity is measured, rewarded, and reported, and the exposure it creates is invisible until it isn't.

Every organization that connected another tool, shipped another integration, and wired another pipeline without checking what it touched first made the same calculation: The breach is hypothetical, the productivity is real.

Then consider what happened the same week GitHub disclosed the breach.

A contractor at Nightwing, a Dulles, Virginia government services firm holding federal contracts for national security and cybersecurity support, had been using a public GitHub repository as a file synchronization tool since November 2025.

The repository was called "Private-CISA."

It contained 844 MB of plaintext credentials: AWS GovCloud admin keys, a CSV file of usernames and passwords for dozens of internal CISA systems, SSH keys, GitHub Actions workflows, Kubernetes configuration files, and a file named "importantAWStokens."

The contractor had deliberately disabled GitHub's built-in secret-scanning protection, the feature that would have flagged the exposure automatically.

GitGuardian's automated scanner found it on May 14.

The repository came down within 26 hours of public escalation.

The exposed AWS keys remained valid for another 48 hours after it disappeared.

This is not a TeamPCP story. Nobody attacked CISA.

A contractor used a public repository as a file sync tool, disabled the safeguard that would have caught it, and left the administrative keys to US federal cyber infrastructure on the open internet for six months, while the agency they worked for was publishing the remediation guidance the rest of the ecosystem was supposed to follow.

The pipeline wasn't poisoned in eighteen minutes. It was poisoned over years, one trusted connection at a time, by an industry that optimized for how fast it could build and never once asked what it was building on.

TeamPCP understood that.

The contractor at Nightwing demonstrated it differently, but the gap is the same.

The credential was trusted, the surface was unaudited, and nobody looked until someone outside the organization did. That someone was a security researcher with an automated scanner - not a regulator, not an auditor, not the agency itself.

When the agency that writes the guidance can't follow it, what exactly is the guidance certifying?

REKT sert de plateforme publique pour des auteurs anonymes, nous déclinons toute responsabilité quant aux opinions ou contenus hébergés sur REKT.

faites un don (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

avertissement:

REKT n'est responsable en aucune manière du contenu publié sur notre site Web ou en lien avec nos Services, qu'il soit publié ou occasionné par l'Auteur Anon de notre site Web, ou par REKT. Bien que nous fournissions des règles pour la conduite et les publications de l'Auteur Anon, nous ne contrôlons pas et ne sommes pas responsables de ce que l'Auteur Anon publie, transmet ou partage sur notre site Web ou nos Services, et ne sommes pas responsables de tout contenu offensant, inapproprié, obscène, illégal ou autrement répréhensible que vous pourriez rencontrer sur notre site Web ou nos Services. REKT ne saurait être tenu responsable de la conduite, en ligne ou hors ligne, de tout utilisateur de notre site Web ou de nos services.