Every developer has a list of extensions they install without thinking twice. A linter. An autocomplete. A code formatter. Tools that sit quietly in the background, trusted by default because they came from a known source, a familiar name, a high download count.
That trust is exactly what TeamPCP exploited.
In May 2026, one of the internet’s most consequential hacks unfolded not through a zero-day vulnerability or brute-force attack, but through something far more mundane: a poisoned VS Code extension installed on a GitHub employee’s device.
What followed was the exfiltration of roughly 3,800 internal GitHub repositories and a cascading supply chain attack that security researchers are already calling “Black May.“
What Happened
GitHub, the Microsoft-owned platform used by over 100 million developers worldwide, confirmed on May 20, 2026, that it had been breached. The attacker, a prolific cybercriminal group known as TeamPCP (also tracked under aliases DeadCatx3, PCPcat, ShellForce, and CipherForce), had compromised an employee’s device through a malicious VS Code extension, then used that foothold to access and exfiltrate internal source code repositories.
TeamPCP then advertised the stolen code for sale on a cybercrime forum, $50,000 for the haul, with a threat to leak it publicly for free if no buyer came forward. GitHub’s internal investigation confirmed the attacker’s claim of 3,800 repositories stolen was, in their words, “directionally consistent” with what they found.
GitHub stated that no customer data was compromised, critical credentials were rotated the same day the breach was detected, and the intrusion was contained. A fuller public report was promised once the investigation concluded.
“The developers weren’t hacked. Their tools were. That distinction changes everything about how we think about software security.”
How TeamPCP Actually Did It

Step One: The Poisoned Extension
The likely entry point, according to investigators at ThreatLocker and Phoenix Security, was Nx Console 18.95.0, a widely used VS Code extension for Angular and monorepo development with millions of installations. A malicious version of the extension was distributed through the VS Code Marketplace. Once installed, it quietly ran on the developer’s machine, harvesting credentials and tokens in the background.
The scale discrepancy in the investigation is telling: Microsoft’s Marketplace reported 28 installations of the compromised version, but Nx’s own telemetry showed approximately 6,000 VS Code extension activations. Security researchers from SlowMist noted that incident response should be planned around exposure at the thousands scale, not the 28 reported, a significant gap that raises questions about supply chain visibility.
Step Two: CI/CD Poisoning, The TanStack Method
The GitHub breach was the headline, but it was part of a wider campaign that began earlier. Starting around May 10–11, 2026, TeamPCP attacked TanStack, a popular open-source library used by thousands of JavaScript developers, using a sophisticated three-stage technique:
- Pwn Request: A forked repository submitted a pull request that triggered a CI workflow with elevated permissions, executing attacker-controlled code inside the secure base repository context.
- Actions Cache Poisoning: A malicious 1.1GB cache was written into a shared pnpm store cache key used by the release pipeline, surviving across workflow runs.
- OIDC Token Extraction: With the release workflow holding id-token: write permissions, short-lived OIDC tokens were extracted from runner memory, effectively handing the attacker temporary cloud credentials without touching any stored secrets.
This three-chain attack required no single large vulnerability. It stitched together three small permission gaps into a complete takeover. That’s the sophistication that makes TeamPCP dangerous.
Step Three: The Wider Blast Radius
TanStack was not the only target. TeamPCP’s campaign, internally dubbed Mini Shai-Hulud after the open-sourced Shai-Hulud attack framework the group released, hit multiple supply chain targets within approximately one week:
- Trivy: The popular open-source security scanner had its GitHub Actions workflow compromised.
- LiteLLM: A widely-used AI package was hit, with downstream exposure to AI-dependent applications.
- AntV (npm): Over 314 npm packages in the AntV ecosystem were compromised, according to SafeDep’s analysis.
- European Commission: The EU’s own developer infrastructure was identified as a downstream victim.
- 5,500+ GitHub repositories: Security researchers at SecurityWeek tracked over 5,500 repositories infected in what was dubbed the Megalodon supply chain attack wave.
“TeamPCP didn’t break one lock. They found a master key hidden in the tools developers trust most and used it on every door they could find.”
What This Means If You’re a Developer Right Now
The immediate threat is practical. If you’ve used any of the affected packages or extensions in the past month, there are concrete steps worth taking now:
- Audit your VS Code extensions: Remove any extension you don’t actively recognize. Check install dates and publisher verification badges.
- Rotate API keys and credentials: Particularly any tokens used in CI/CD pipelines or automated deployment workflows.
- Review GitHub Actions permissions: Workflows using id-token, write or pull_request_target with broad access should be audited for cache scope and permission creep.
- Check your npm dependency tree: Verify no AntV or related packages were pulled in as transitive dependencies during the affected window.
- Monitor for unusual CI behavior: Large unexpected cache writes or new network connections from runners are early signals of poisoning.
The Developer Toolchain Is Now a Primary Attack Surface

This is the uncomfortable truth that Black May has forced into the open: the modern software supply chain has a trust problem it hasn’t fully reckoned with.
For years, security thinking focused on perimeters like firewalls, network segmentation, and endpoint protection. Then it evolved to focus on code, vulnerability scanning, SAST tools, and dependency auditing. But TeamPCP’s campaign illustrates a third surface that has barely been secured at all: the developer’s own environment.
The IDE. The extension marketplace. The CI runner. The shared cache.
Extensions on the VS Code marketplace are installed over a billion times annually. Most receive no independent security audit before reaching developer machines. The marketplace has verification badges, but they confirm identity, not behaviour. A legitimate publisher account can be compromised, and a trusted extension can become a Trojan overnight.
GitHub’s breach happened not because its perimeter failed, not because its code was vulnerable, but because a trusted tool on a trusted device inside a trusted network was poisoned. That’s a fundamentally different problem than the security industry has been solving for.
“When the weapon is the tool you can’t work without, the traditional idea of a security perimeter stops making sense.”
Key Takeaways
- Breach confirmed: GitHub officially confirmed on May 20, 2026, that TeamPCP exfiltrated approximately 3,800 internal repositories. No customer data was affected.
- Attack vector: A malicious VS Code extension (likely a compromised version of Nx Console 18.95.0) installed on a GitHub employee’s device was the entry point.
- Who is TeamPCP: A prolific cybercriminal group (aliases: DeadCatx3, PCPcat, ShellForce, CipherForce) running a cascading supply chain campaign since at least March 2026.
- Mini Shai-Hulud: The name for TeamPCP’s attack framework, built on the open-sourced Shai-Hulud codebase, targeting developer toolchains and CI/CD pipelines.
- Wider targets: TanStack, Trivy, LiteLLM, AntV npm ecosystem (314+ packages), the European Commission, and 5,500+ GitHub repositories were all part of the same campaign.
- Extortion attempt: TeamPCP advertised stolen GitHub source code for $50,000 on a cybercrime forum, threatening to release it free if no buyer appeared.
- Core vulnerability: Not a zero-day — a combination of CI permission misconfigurations, shared cache scope, and supply chain trust in developer tooling.
The Attack That Changes How We Think About Trust
There’s a particular kind of unease that comes from this story, not the panic of a data breach, but something more structural. GitHub wasn’t careless. The developers affected weren’t naive. They used standard tools, standard workflows, and standard trust assumptions.
And that was precisely the vulnerability.
TeamPCP didn’t need to be smarter than GitHub’s security team. They just needed to operate one level below where security teams were looking, inside the toolchain, inside the extension, inside the CI cache that no one thought to audit.
The question Black May leaves hanging isn’t “how do we stop the next TeamPCP?”
It’s something harder: how many more trusted tools are already waiting?
