VS Code Nx Console Extension Poisoned in Supply Chain Attack

A poisoned Nx Console extension for VS Code was distributed via npm, compromising internal repositories at GitHub, OpenAI, and Mistral AI. The TeamPCP threat actor exploited CVE-2026-45321 with a CVSS score of 9.6.

VS Code Nx Console Extension Poisoned in Supply Chain Attack
Hacker arriving in underground base, ready to do computer sabotage using encryption trojan ransomware. Cybercriminal starting hacking process, ransoming stolen data from victims, camera A

Microsoft developers faced a supply chain compromise through a poisoned Nx Console extension for Visual Studio Code. The malicious package circulated via npm and remained active on May 18, 2026 for exactly eighteen minutes before removal. Security researchers identified the threat as part of an ongoing campaign by the TeamPCP group.

Malicious npm package compromised GitHub OpenAI and Mistral AI repositories for eighteen minutes before removal.

The vulnerability carries the identifier CVE-2026-45321 with a CVSS score of 9.6. Attackers leveraged this flaw to infiltrate internal repositories at GitHub, OpenAI, and Mistral AI. The incident highlights how shared development tooling now serves as a primary target for threat actors.

OpenAI described the breach as evidence of a shifting threat landscape where attackers prioritize common software dependencies over individual corporate targets. This strategy allows malicious campaigns to scale across multiple organizations that rely on the same compromised packages.

Security outlets including The Hacker News and BleepingComputer reported on the incident. Microsoft maintains Visual Studio Code as a widely used development environment, making supply chain integrity critical for the broader engineering community.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion