TrendingMay 21, 20266 min read·ByAyush Chaturvedi· Independent Entrepreneur

3,800 GitHub Repos Stolen by One VS Code Extension. Your Cursor Setup Is the Next Attack Surface.

On May 20, 2026, GitHub confirmed TeamPCP exfiltrated ~3,800 internal repos via a poisoned Nx Console extension. The malware targeted Claude Code configs. Here’s the 10-step audit every indie hacker should run this week.

Key Takeaways

  • On May 20, 2026, GitHub confirmed TeamPCP (tracked as UNC6780) exfiltrated ~3,800 internal repos after a single employee installed a trojanized Nx Console v18.95.0 — a VS Code extension with 2.2M+ installs. The malicious build was live on the Marketplace for ~11 minutes.
  • The payload specifically harvested Anthropic Claude Code configurations, GitHub tokens, npm credentials, AWS keys, and 1Password vault contents — a credential stealer designed for the vibe coding era. Same group hit LiteLLM, TanStack, Trivy, Mistral, and Cisco in the past 90 days.
  • Cursor and Windsurf use OpenVSX (not Microsoft’s marketplace) which has weaker review. Of ~60,000 VS Code publishers, only ~1,800 are verified. The average indie hacker has 20–40 extensions installed across multiple editors and has audited zero of them.
  • The fix isn’t enterprise AppSec — it’s a 10-step audit: run `code --list-extensions`, scan with Koidex or vsix-audit, disable auto-updates on AI assistants and formatters, move secrets out of `.env` files, and rotate every token in your stack today.

On May 20, 2026, GitHub confirmed that ~3,800 internal repos walked out the front door after a single employee auto-updated one VS Code extension. The extension was Nx Console v18.95.0 — a marketplace listing with 2.2 million installs, owned by a verified publisher, malicious for about eleven minutes. The malware harvested GitHub tokens, AWS keys, 1Password vaults, and — the line every indie hacker needs to underline — Anthropic Claude Code configurations. This was an attack designed for the vibe coding era. You are the target now.

3,800
GitHub repos exfiltrated
~11 min
Malicious build was live
2.2M+
Nx Console installs
$95K
Asking price on Breached

What Actually Happened

The attack vector was a trojanized release of Nx Console (publisher nrwl.angular-console), a popular VS Code extension for the Nx monorepo toolchain. Attackers used stolen publisher credentials to push v18.95.0 to the official VS Code Marketplace. The extension was multi-stage: on first workspace open, it fetched a 498 KB obfuscated payload from a dangling orphan commit hidden inside the legitimate nrwl/nx GitHub repo.

Once active, the malware harvested GitHub tokens, npm credentials, AWS IAM keys, 1Password vault contents, and Anthropic Claude Code configurations, then exfiltrated via HTTPS, the GitHub API, and DNS tunneling. On macOS it installed a Python backdoor that used the GitHub Search API as a dead-drop resolver. One developer at GitHub auto-updated, the payload ran, and a few hours later TeamPCP was listing ~4,000 internal repos for sale.

Timeline

  • May 18, 03:18 UTCAttacker pushes an orphan commit to the official nrwl/nx repo, staging a 498 KB obfuscated payload.
  • May 18, 12:36 UTCMalicious Nx Console v18.95.0 is published using stolen publisher credentials.
  • May 18, 12:47 UTCNx team detects and pulls the build — live on the Marketplace for ~11 minutes. Damage already done.
  • May 19GitHub detects compromise on an employee endpoint that auto-updated the extension.
  • May 20GitHub publicly confirms breach. TeamPCP lists ~4,000 repos on Breached forum at $50K min; LAPSUS$ joins the sale at $95K.

Sources: BleepingComputer, The Register, The Hacker News, StepSecurity (May 20, 2026).

Why Indie Hackers Are the Real Target

Most coverage frames this as a GitHub story. It is not. GitHub has an incident response team, an isolated employee endpoint, and a corporate EDR stack. They contained it in 24 hours. You don’t have any of that.

The indie hacker stack is uniquely exposed. The average vibe coder is running VS Code + Cursor + Windsurf in parallel, with 20–40 extensions installed across them and approximately zero hours spent auditing any of them. Cursor and Windsurf use the OpenVSX registry, not Microsoft’s marketplace, and OpenVSX has weaker review. Of ~60,000 VS Code marketplace publishers, only ~1,800 are verified. And VS Code extensions run with the same permissions as the editor itself — full filesystem, full network, full process spawning. There is no Android-style permission model. There is no sandbox.

Now consider what’s actually on a solo founder’s laptop: a GitHub PAT (your source code), an Anthropic API key (your AI bill), an OpenAI key (also your bill), an AWS access key (your infrastructure), a Stripe restricted key (your money), a Supabase service role key (your customer data), an npm publish token (your distribution). One compromised extension is a full-stack compromise. That’s exactly what the Nx payload was designed to extract — and the fact that it specifically targeted Claude Code configurations tells you who the threat actor thinks the next batch of victims will be.

Stay Ahead of the Trends

Get insights like this before they’re everywhere. Weekly breakdowns of the shifts that actually matter for indie hackers and SaaS founders. No fluff.

This Wasn’t a One-Off — It’s a 90-Day Campaign

TeamPCP — tracked by Google Threat Intelligence Group as UNC6780 — is financially motivated and runs cascading supply-chain attacks. They compromise one package, steal credentials, pivot to the next package, repeat. Their main weapon is the Mini Shai-Hulud worm propagating through npm and PyPI. The Nx Console hit was not an isolated incident:

TargetDateImpact
TrivyMarch 2026Aqua’s vulnerability scanner backdoored — used as pivot into LiteLLM
LiteLLMMarch 24, 2026AI middleware credential stealer (95M downloads/mo)
TanStackMay 11, 202684 malicious versions across 42 @tanstack/* packages — hit 2 OpenAI devs
Mistral AIMay 12, 2026Targeted by the same campaign
Nx Console (GitHub)May 18–20, 20263,800 internal GitHub repos exfiltrated

The pattern is clear: the indie hacker AI stack is the campaign. Trivy was the wedge into LiteLLM. LiteLLM was the wedge into thousands of builders’ cloud accounts. TanStack was the wedge into OpenAI employee machines. Nx Console was the wedge into GitHub. Every hit on this list is a package most solo founders had installed last week without thinking about it.

And the cadence is accelerating. Koi Security flagged 1,283 VS Code extensions with malicious dependencies (combined 229M installs); 8,161 communicate with hardcoded IPs; 1,452 run unknown executables. Microsoft has open feature requests for an extension permission model dating back years (issues #52116, #187386). Until that ships, the only defense is the audit you run yourself.

The 10-Step Indie Hacker Extension Audit

This is the audit to run this week. Block 90 minutes, work through it top to bottom, and you’ll be ahead of 99% of solo founders. None of it requires an enterprise license; all of it requires you to actually do it.

1Inventory every extension across every editor

Run `code --list-extensions`, `cursor --list-extensions`, and the equivalent for Windsurf/VSCodium. Most indie hackers find 20–40+ across two or three editors. You can’t audit what you can’t see.

2Scan with Koidex (free) or vsix-audit (CLI)

Install Koidex inside VS Code/Cursor — it scans the rest in real time across VS Code, Cursor, Windsurf, VSCodium. For CI-friendly scans, Trail of Bits ships vsix-audit on npm with six detection modules.

3Verify the publisher — only ~1,800 of ~60,000 are verified

On every extension page, check the blue Verified badge. No badge + low install count + recent ownership change = pull it. The Nx attack used stolen credentials from a verified publisher, so verification is necessary but not sufficient — see step 4.

4Disable auto-updates on high-privilege extensions

The Nx attack was an auto-update push to existing installs. Pin versions in `devcontainer.json` and `.vscode/extensions.json`. Highest priority: AI assistants (read your whole workspace), formatters/linters (run on save), debuggers (spawn processes).

5Move secrets out of files extensions can read

.env files in your project root are trivially readable by any extension. Move GitHub PATs, Anthropic, OpenAI, AWS, npm, and Stripe keys to 1Password CLI with biometric unlock, doppler, or `gh auth token`. The Nx malware specifically grabbed 1Password vault contents — lock yours.

6Rotate every token in your stack — today

Assume one of your dev machines is compromised. Rotate: GitHub PATs and OAuth apps, npm publish tokens, Anthropic and OpenAI API keys, AWS IAM keys, Stripe restricted keys, Vercel deploy hooks, Supabase service-role keys. Two hours of work; one hour if you use a password manager.

7Audit AI assistant extensions hardest

AI assistants — Copilot, Codeium, Cursor extensions, Cline, Continue, Augment, MaliciousCorgi-style "ChatGPT 中文版" knockoffs — are the highest-value targets because they read your entire workspace by design. Run only one. Make sure it’s the right one. Delete the rest.

8Switch OpenVSX-only editors (Cursor, Windsurf) to extra-strict mode

OpenVSX has weaker review than Microsoft’s marketplace, yet Cursor and Windsurf are the indie default. Install only extensions you can also find on the Microsoft marketplace from the same verified publisher — if it’s OpenVSX-only and brand new, skip it.

9Lock down Claude Code plugins, Skills, and MCP servers separately

Claude Code doesn’t use editor extensions — it uses Plugins, Skills, Subagents, and MCP servers, which run unsandboxed with full system privileges. The Directory Trust dialog is your only boundary. Only trust folders you own, and review every MCP server before adding it to settings.

10Set a quarterly extension review on your calendar

This is the third major supply-chain hit on the indie hacker stack in 90 days (Trivy → LiteLLM → Nx). The cadence is now monthly. Block one hour every quarter to re-run steps 1–6. Add it to your calendar before you close this tab.

What to Watch Next

Watch for OpenVSX hardening. Cursor and Windsurf outsourced their extension marketplace to OpenVSX, which has fewer moderators than Microsoft’s team. Both vendors are now under pressure to either staff up moderation or build their own review pipeline. The editor that gets this right first will become the security-conscious default — and that’s the editor to migrate to.

Watch the Claude Code plugin surface. Anthropic’s plugin model runs unsandboxed with full system privileges, gated only by the Directory Trust dialog. The first malicious Claude Code plugin or MCP server widely distributed via npm is a matter of when, not if. Expect Anthropic to ship plugin signing and a permission model within 90 days.

Watch for TeamPCP’s next pivot. The campaign has moved from build tools (Trivy) to AI middleware (LiteLLM) to npm packages (TanStack) to editor extensions (Nx). The next surface is almost certainly AI coding agent MCP servers, where installations run unsandboxed and tokens flow in from every connected tool. Audit your MCP server list now — don’t wait for the breach writeup.

Sharpen Your Vibe Coding Stack

Audit your editor setup, pick the right AI coding tools, and validate the next idea you build on top.

Best Vibe Coding ToolsLiteLLM Breach PostmortemThe Vercel Hack

The Bottom Line

  • 3,800 GitHub repos went out the door through one extension auto-update. The Nx Console attack was alive for ~11 minutes and the payload specifically targeted Claude Code configs.
  • This is the third major supply-chain campaign hit in 90 days. Trivy → LiteLLM → Nx Console. TeamPCP/UNC6780 is treating the indie hacker AI stack as a single target.
  • VS Code extensions run with editor-level privileges. There is no sandbox. Cursor and Windsurf use OpenVSX, which has weaker review than Microsoft’s marketplace.
  • The 10-step audit takes 90 minutes and removes the biggest attack surface most indie hackers have. Add the quarterly re-run to your calendar before you close this tab.

Sources

Don't Miss the Next Big Shift

Every week, we break down the trends that matter for indie hackers and SaaS founders — lab announcements, market shifts, and the playbooks the founders ahead of the curve are already running. Stay informed, stay ahead.

Join 3,000+ founders who stay ahead of the curve