TanStack wave 5: GitHub loses 3,800 repos via Nx Console VS Code extension
GitHub confirmed today that 3,800 of its internal repositories were exfiltrated through a malicious version of the Nx Console VS Code extension. The disclosure makes this the fifth wave of the TanStack supply chain campaign that began on May 11, and it closes the last major credential delivery vector in the AI developer toolchain.
The marketplace numbers undersell the damage by two orders of magnitude
A malicious release labeled Nx Console 18.95.0 briefly appeared on the Visual Studio Marketplace for roughly 18 minutes and on OpenVSX for roughly 36 minutes. The recorded download counts are tiny: 28 from Visual Studio Marketplace, 41 from OpenVSX. Nx's own internal analytics tell a different story. The real install count is two orders of magnitude higher than the marketplace numbers, which implies thousands of effective installations propagated through caching layers, mirror feeds, and downstream extension ecosystems that pull from the marketplace asynchronously.
This is the structural takeaway for anyone running a developer environment at scale: the marketplace download counter is not the canonical install count. Extension cache layers, internal mirror feeds, and any pipeline that pre-fetches "latest" before pinning will all pick up a malicious release without showing in the public counters.
The attack chain
The chain starts at TanStack on May 11. One Nx developer's machine was compromised through the May 11 TanStack npm wave. The attacker harvested GitHub CLI credentials from the developer's local environment, then executed a contributor permission workflow on the Nx GitHub repository that signed and published the malicious extension release.
The malicious extension's payload then harvested GitHub tokens from each victim machine and used those tokens to clone every repository the token could reach. For GitHub itself, that meant 3,800 internal repos. For other teams that ran Nx Console 18.95.0, the blast radius is whatever the user's GitHub tokens could reach: organisation repos, GitHub Actions runner secrets, MCP server configurations, and any cloud credential cached in the editor session.
The campaign pattern across waves 1 through 5
This is wave 5 of a single campaign with a consistent operator pattern:
Wave 1, May 11. TanStack npm cache poisoning via a pull_request_target workflow. 84 malicious versions across 42 @tanstack packages. SLSA Build Level 3 provenance bypass.
Wave 2, May 11 follow on. Mistral AI, Guardrails AI, OpenSearch JS client compromised through the same operator using harvested CI/CD credentials.
Wave 3, May 14. Further AI adjacent packages compromised under the same payload signature.
Wave 4, May 19. Microsoft's official durabletask Python SDK compromised on PyPI via a chained GitHub account to PyPI token compromise.
Wave 5, May 20. Nx Console VS Code extension. IDE extension as credential harvester closes the developer toolchain.
The cumulative compromised version count across waves 1 through 5 sits at 1,055 versions across 502 unique packages per Socket's research, plus the Nx Console extension. The geographic kill switch (the payload aborts on systems with LANG=ru_*) is the consistent attribution thread.
The same day defender drill
If your team installed Nx Console 18.95.0 even briefly between roughly 13:00 and 14:00 UTC on May 20, treat the affected host as token compromised. Three actions, in order:
Rotate every GitHub PAT and OAuth grant issued by the user account on the affected machine. Do not rely on automated rotation; verify each token's new value matches expectation.
Audit GitHub Actions workflow run history on every reachable repository for unexpected runs in the trailing 24 hours, focusing on workflows triggered by pull_request_target or any token-bearing workflow that ran outside its normal cadence.
Rotate every API key, vector database credential, and MCP server token that has touched the editor session. Anthropic API keys, OpenAI API keys, HuggingFace tokens, and any cloud credential cached for tool execution are all in scope.
The harder structural lesson
Two breaches landed in the same news cycle for the same root cause: Grafana refused payment and rotated, GitHub rotated. The architectural reading: automated token rotation is not the same as verified token rotation. Grafana's rotation process executed; one workflow token did not roll. That one missed rotation cost the codebase.
For any organisation that depends on the npm, PyPI, or VS Code extension ecosystems (which is to say, every modern engineering organisation), the defender posture has to evolve: treat every confirmed supply chain wave as a forcing function for a same day token inventory reconciliation. Not a scheduled scan, not a quarterly audit. A reconciliation, executed within hours of the wave, against the actual inventory.
Token rotation under stress is the new defender drill. It is the only thing that closes the gap between what your CI/CD platform thinks it rotated and what an attacker is actually holding.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your supply chain incident response runbook needs pressure testing against a multi wave campaign like this one.