GitHub got hit. On May 19 a poisoned Nx Console extension shipped through the VS Code marketplace. It was up for eleven minutes. That window was enough for an employee to auto-update, for the worm to grab their CI/CD tokens, and for the attacker group (TeamPCP, tracked as UNC6780) to pivot into roughly 3,800 internal repositories before anyone noticed.
GitHub disclosed the breach the next day. Customer data, they say, was not touched. We will see.
Here is the part that should keep founders up at night. The attacker did not exploit GitHub. They exploited a developer's IDE. Every team using Copilot, Cursor, Claude Code, Continue, Cody, every team running an AI assistant, runs it through an extension marketplace with auto-update enabled by default and minimal code review. That is the same surface that just compromised the world's largest code host.
If this sounds familiar, it should. Same playbook hit Aqua's Trivy, CheckMarx KICS, LiteLLM, TanStack, MistralAI in the last few months. The worm has a name now (Mini Shai-Hulud) and a pattern: poison a package, steal CI tokens, publish more poisoned packages, repeat.
What boring hygiene actually moves the needle? Here is the list we ran for our own clients this week, in priority order.
- Pin extension versions, disable marketplace auto-update. VS Code:
extensions.autoUpdate: falseandextensions.autoCheckUpdates: false. Yes, you will manually update. That is the point. - Turn on GitHub secret scanning and push protection. Both are free for public and private repos now. Push protection blocks the commit before the secret leaves the laptop. Five minutes of admin work.
- Rotate every CI/CD token that has ever touched a developer machine. Quarterly is the floor. Monthly is sane. The Nx incident leaked tokens that had been valid since 2024.
- Move CI to OIDC, kill long-lived secrets. GitHub Actions → AWS, GCP, Azure all support short-lived federated credentials. No more
AWS_SECRET_ACCESS_KEYin repo secrets. (This one is annoying to set up the first time. Worth it.) - Sandbox the AI assistant. Run Claude Code or Cursor inside a devcontainer or VM that does not have your prod credentials mounted. If your AI agent gets a malicious instruction, the blast radius stops at the container.
- Review what you commit. This sounds obvious. It is not, because Copilot will happily autocomplete an
OPENAI_API_KEY=sk-...line if you started typing it. Force a human pass on every PR. Yes, including the ones the AI wrote. - Inventory your extensions, quarterly. Anyone on the team using a 200-install extension by a developer with no GitHub history? That is a supply chain risk. We dropped four extensions on our own machines yesterday for exactly this reason.
There is a longer conversation here about whether IDE marketplaces need real package signing, mandatory code review, and provenance. That is somebody else's fight. While the regulators and platforms argue about it, your job is to make sure that the eleven-minute window between a malicious push and a takedown does not turn into the worst week of your year.
We work with fintech and biotech teams who cannot afford a TeamPCP-style headline. If you want a one-page audit of your dev environment posture against this attack pattern, we can run that in a week.
