
On May 18, 2026, a malicious build of Nx Console — a Visual Studio Code extension with over two million installs — was published to the Visual Studio Marketplace at 12:30 PM UTC. It was pulled at 12:48 PM UTC. About eighteen minutes of live distribution. StepSecurity put the activation count at roughly 6,000 over the next two days, including from Cursor, because VS Code's automatic update mechanism does not need anyone to click anything.
One of those activations was on a GitHub employee's machine. The result, disclosed by GitHub on May 19, was the exfiltration of approximately 3,800 internal source code repositories. The threat actor group, TeamPCP, is currently attempting to sell the stolen data. On May 28, CISA added CVE-2026-48027 to the Known Exploited Vulnerabilities catalog and issued a joint advisory naming a broader campaign — Megalodon — that has been injecting malicious GitHub Actions workflows to harvest CI/CD secrets in parallel.
I want to focus on what the eighteen-minute window actually means, because the headline reading ("supply chain attack succeeded against GitHub") is not the most useful one for small teams.
What the attacker bought with eighteen minutes
Eighteen minutes is not enough time for a developer to notice and uninstall. Eighteen minutes is also not enough time for Microsoft Defender for Cloud Apps, Snyk, or any other supply chain scanning tool to push a signature update through their detection pipeline. Eighteen minutes is the gap between "the package is live on the registry" and "the package is automatically installed by VS Code's update mechanism on every machine that already had Nx Console."
Think of it like this. A bookstore stocks a shelf of books authored by a trusted contributor. A forged copy of one of those books appears on the shelf for eighteen minutes between Tuesday and Tuesday and a quarter, in which time the bookstore's own delivery service mails a copy to every house in the neighbourhood that's previously bought the author's work. The forgery is pulled at 12:48. The deliveries continue. Nobody at the bookstore did anything wrong. The delivery system worked as designed. The system worked as designed is the problem.
The chain of trust that VS Code's auto-update relies on — and Nx Console is not alone here, every IDE extension marketplace uses some version of this — assumes that the time-to-detection of a malicious package will be longer than the time-to-pull. The Nx incident demonstrates that for a determined attacker who has already compromised a maintainer's credentials (the Tanstack supply chain compromise from days earlier is how Nx's maintainer got pwned), eighteen minutes is enough.
Why this is the AI tooling story it doesn't look like
On its face, this is a classic IDE extension supply chain attack: malicious build, credential harvesting, lateral movement. I've written before about the Shai-Hulud npm worm that explicitly targeted MCP config files and the Vercel OAuth breach as the credential storage layer failure mode. The Nx Console incident is a third independent confirmation of the same structural finding, from a third angle: AI infrastructure credentials are now in the standard harvesting template.
The malicious payload read from disk and memory for Vault tokens, Kubernetes secrets, AWS IAM credentials, SSH keys, GitHub PATs, npm tokens, and .env files. The .env files are where teams keep their ANTHROPIC_API_KEY, their OPENAI_API_KEY, their MCP server tokens, their LiteLLM proxy keys. The attacker doesn't need to know the post-Cambrian taxonomy of AI infrastructure to ruin a team's week. They just need to grep for KEY and exfiltrate.
The CISA advisory's list of credentials to rotate runs from "AWS, GCP, Azure" through "Docker, npm, PyPI, Vault, Terraform, Kubernetes" to "GitHub/GitLab/Bitbucket tokens, developer or pipeline secrets." Notice what is not on the list — and what is therefore notably absent from CISA's stated rotation guidance: AI vendor API keys. They are not a separate category in the official advisory. They sit, undifferentiated, in the .env file alongside everything else.
What the Megalodon campaign adds
The second half of the May 28 CISA advisory names Megalodon — a parallel campaign injecting malicious GitHub Actions workflows into public repositories to harvest CI/CD secrets directly. Where the Nx incident exfiltrated credentials at the developer-machine layer, Megalodon does it at the pipeline-execution layer. These are not separate attacks. They are the same threat actor (or at least the same attack pattern) reading the developer credential surface from two different angles.
For a small team running headless agent pipelines — and a growing number are — this is the surface that matters. The CI/CD pipeline that runs your scheduled Claude Code job, your Codex CLI batch, your Aider commit pass is also the surface that holds the API key those agents authenticate with. Megalodon harvests the GitHub Actions secrets store directly. The compromise doesn't have to touch the AI tool. It just has to touch the substrate the AI tool runs on.
What to actually do this week
For a small team:
- Audit your VS Code extension list. Identify every extension installed organization-wide. Anything with auto-update enabled and write access to your filesystem is a Nx-class risk surface. The remediation is not "disable auto-update for everything" (impractical); it is to know which extensions have the access, so the blast radius is mapable when the next incident lands.
- Rotate everything in CI/CD secrets stores that has been accessible since May 1, 2026. Not just AWS and GitHub keys — your AI vendor keys, your LiteLLM/GoModel proxy tokens, your MCP server credentials. Treat the AI infrastructure credentials as Tier 1 the way you'd treat a root AWS key.
- Move AI vendor keys out of
.envfiles into a secrets manager (Vault, AWS Secrets Manager, Doppler) with rotation policies. The.envfile is the attacker's grep pattern; the secrets manager at least asks the question of who is reading. - Check whether your scheduled-agent CI/CD pipelines are running with broader scope than they need. A Claude Code batch job that writes blog drafts does not need write access to your production deployment credentials.
The bigger pattern
Every incident in the supply chain series I've been writing about — LiteLLM, Vercel OAuth, Shai-Hulud, Nx Console — has named a slightly different credential layer. The pattern they share is that the attacker doesn't need to know anything about AI tooling specifically. They harvest credentials, and AI infrastructure credentials are now part of what gets harvested by default. The defensive posture has to assume that any developer-tool credential compromise reaches the AI stack within the same blast.
Eighteen minutes was the window the marketplace gave the attacker. The window your CI/CD secrets are exposed for is however long it takes you to rotate them. That second window is the one a small team can actually shorten.