18 分钟攻陷 GitHub:TeamPCP 供应链攻击全拆解——当你最信任的 VS Code 扩展变成特洛伊木马

18 Minutes to Breach GitHub: Inside TeamPCP's Supply Chain Attack — When Your Most Trusted VS Code Extension Becomes a Trojan Horse

Supply Chain SecurityVS CodeGitHubTeamPCPDeveloper SecurityCybersecurity

> 📌 TL;DR
> 2026 年 5 月,一个名为 TeamPCP(又称 UNC6780)的网络犯罪组织发动了史上最精密的开发者供应链攻击——通过投毒 VS Code 扩展 Nx Console,在仅 18 分钟的窗口内盗取了 GitHub 约 3,800 个内部代码仓库,波及 OpenAI、Mistral AI、Anthropic 等 AI 巨头。这篇文章完整拆解攻击的三阶段链条、自我复制蠕虫 Mini Shai-Hulud 的工作原理,以及每个开发者现在必须做的事。

一个扩展,18 分钟,3,800 个仓库

5 月 20 日,GitHub 官方确认遭遇重大安全事件:约 3,800 个内部代码仓库被攻击者窃取。攻击入口不是什么零日漏洞,不是弱密码暴力破解——而是一个在 VS Code 扩展市场上只存活了 18 分钟的恶意更新。

被投毒的扩展是 Nx Console(nrwl.angular-console),一个拥有 220 万安装量的知名 Angular/Nx 开发工具。攻击者在 5 月 18 日 12:30-12:48 UTC 之间发布了 v18.95.0 版本,包含一个 498KB 的混淆载荷。

一名 GitHub 员工在这个窗口内安装了该版本。游戏结束。

三阶段攻击链:环环相扣的精密设计

这不是一次孤立攻击,而是一个为期数周、横跨多个生态系统的连锁行动。

阶段一:TanStack 投毒(5 月 11 日)

TeamPCP 首先瞄准了流行的前端框架 TanStack。攻击手法极其精巧:

1. Fork 了 TanStack/router 仓库
2. 提交 Pull Request 触发 pull_request_target 工作流
3. 投毒 GitHub Actions 缓存
4. 当维护者合并代码触发发布流程时,被污染的缓存恢复了攻击者控制的二进制文件
5. 从 runner 进程内存中直接提取 OIDC token

这一步让 TeamPCP 获得了以 TanStack 身份发布包的能力。

阶段二:Nx Console 投毒(5 月 18 日)

TanStack 的入侵波及了一名 Nx Console 开发者的设备,泄露了其 GitHub 凭证。TeamPCP 利用这些凭证:

1. 向 nrwl/nx 仓库推送了一个包含混淆载荷的孤立提交(orphan commit)
2. 使用窃取的 VSCE_PAT 向 VS Code 市场发布了 v18.95.0

这个恶意版本一旦加载,会在开发者打开任何工作区时静默执行,不需要任何交互。

阶段三:GitHub 内部沦陷(5 月 19-20 日)

一名 GitHub 员工安装了被投毒的 Nx Console。凭证收集器立即开始工作,窃取了:

- GitHub 内部 token
- AWS 密钥
- npm 凭证
- 1Password 保险库数据
- Claude Code 配置文件~/.claude/settings.json

攻击者利用这些凭证横向移动,通过 CI/CD 管道最终窃取了约 3,800 个内部仓库。

Mini Shai-Hulud:会自我复制的供应链蠕虫

TeamPCP 的真正杀手锏是他们开发的供应链蠕虫 Mini Shai-Hulud(以《沙丘》中的沙虫命名)。这不是普通的恶意软件——它能自我传播

- 窃取开发者的 CI/CD 凭证
- 利用窃取的凭证发布被感染版本的其他包
- 新的受害包又会感染更多开发者
- 循环往复

在 5 小时内,Mini Shai-Hulud 在 172 个不同的包上发布了超过 400 个恶意版本。更令人不安的是,它能利用 Sigstore 集成生成有效的加密签名证明——这意味着攻击者发布的恶意包看起来就像正版一样,通过了所有常规验证。

TeamPCP 已将 Mini Shai-Hulud 的源码以 MIT 许可证公开发布在 GitHub 上。 模仿者已经出现——一个叫 PCPJack 的新组织正在利用相同的工具进行独立行动。

受害者名单:AI 行业的「集体沦陷」

| 受害者 | 影响详情 | 来源时间 |
|--------|---------|---------|
| GitHub | ~3,800 内部仓库被窃取,$50,000 赎金要求 | 【05-20 确认】|
| OpenAI | 2 台员工设备被入侵,部分内部代码仓库凭证泄露,macOS 应用签名证书将于 6/12 全量吊销 | 【05-21 确认】|
| Mistral AI | npm/PyPI SDK 被投毒,约 5GB 源码被盗,$25,000 勒索 | 【05-22 确认】|
| Anthropic | Claude 源码据报受影响(TeamPCP 声称) | 【05-21 报道】|
| 欧盟委员会 | 公开网站受影响 | 【05-21 报道】|

> ⚠️ 注意
> CISA 已将相关漏洞(CVE-2026-45321,CVSS 9.6;CVE-2026-48027,CVSS 9.3)加入已知已利用漏洞(KEV)目录,要求联邦机构在 2026 年 6 月 10 日前修复。

为什么 VS Code 扩展成了完美的攻击面?

这次攻击暴露了一个系统性问题:VS Code 扩展市场的信任模型从根本上是脆弱的。

1. 权限过大:扩展可以访问文件系统、执行任意代码、读取环境变量,几乎等同于 shell 权限
2. 自动更新:大多数开发者启用了自动更新,一个被投毒的版本会在后台静默安装
3. 信任传递:开发者信任知名扩展(220 万安装量),不会检查每次更新的代码
4. 审核薄弱:VS Code 市场的发布前审核难以检测混淆的恶意代码
5. 微软全链条风险:正如 XDA 的分析指出,微软同时拥有 VS Code、VS Code 市场、GitHub、npm 和 Azure——一个入口被攻破,整条链条都在风险中

你现在必须做的 5 件事

1. 检查 Nx Console 版本

如果你在 5 月 18 日 12:30-12:48 UTC 之间安装或更新了 Nx Console v18.95.0 并打开了工作区——视你机器上的所有凭证为已泄露

2. 全面轮换凭证

立即轮换以下凭证:
- GitHub personal access tokens
- npm 发布 token
- AWS access keys
- 1Password 主密码
- HashiCorp Vault token
- Kubernetes kubeconfig
- 所有存储在 .env 文件中的 API key

3. 审计 VS Code 扩展

<h1>列出所有已安装的扩展及版本</h1>
code --list-extensions --show-versions
<h1>检查扩展的发布历史(关注最近是否有异常更新)</h1>
<h1>关注任何在 5 月 11-20 日期间有更新的扩展</h1>

4. 加固 CI/CD 管道

- 锁定 GitHub Actions 中的第三方 action 版本(使用 SHA,不用标签)
- 禁用 pull_request_target 工作流,或严格限制其权限
- 启用 npm/PyPI 包的 2FA 发布要求

5. 考虑扩展安全策略

- 使用 VS Code 的 Extension Bisect 功能排查可疑扩展
- 在组织层面部署扩展白名单
- 对关键开发环境使用隔离的容器/VM

更深层的问题:开发者信任正在被武器化

这次攻击的核心洞察不是技术层面的——而是信任层面的

Verizon 2026 DBIR 报告显示,67% 的员工通过非企业账号访问 AI 工具。Mandiant 的 M-Trends 2026 报告发现,漏洞利用的时间已经「趋近于零」——28.3% 的 CVE 在披露 24 小时内就被利用,而修复的平均时间是 74 天。

攻击者已经想通了一件事:与其突破防火墙,不如成为开发者信任的工具本身。 当一个 VS Code 扩展有 220 万安装量、当一个 npm 包被下载了千万次、当一个 GitHub Action 被广泛使用——它们就是最完美的特洛伊木马。

每一行 npm install,每一次 code --install-extension,每一个 uses: action@latest——都是一次信任决策。而 TeamPCP 证明了,这种信任可以在 18 分钟内被彻底摧毁。

> ✨ 金句
> 在供应链攻击的时代,最危险的不是你不信任的代码——而是你深信不疑的工具。VS Code 扩展市场、npm、PyPI,这些开发者每天依赖的「基础设施」,正在成为新的攻击面。信任,不再是免费的。

> 📌 TL;DR
> In May 2026, a cybercrime group called TeamPCP (aka UNC6780) pulled off one of the most sophisticated developer supply chain attacks in history — poisoning the Nx Console VS Code extension to steal roughly 3,800 internal GitHub repositories within an 18-minute window. The blast radius hit OpenAI, Mistral AI, Anthropic, and the European Commission. This article breaks down the three-stage attack chain, the self-replicating Mini Shai-Hulud worm, and what every developer needs to do right now.

One Extension, 18 Minutes, 3,800 Repositories

On May 20, GitHub officially confirmed a major security incident: approximately 3,800 internal code repositories had been exfiltrated by threat actors. The entry point wasn't a zero-day exploit or a brute-forced password — it was a malicious update to a VS Code extension that lived on the marketplace for just 18 minutes.

The poisoned extension was Nx Console (nrwl.angular-console), a widely-used Angular/Nx development tool with 2.2 million installations. Between 12:30 and 12:48 UTC on May 18, 2026, attackers published version 18.95.0 containing a 498KB obfuscated payload.

A GitHub employee installed it during that window. Game over.

The Three-Stage Attack Chain

This wasn't an isolated incident. It was a multi-week, cross-ecosystem campaign of surgical precision.

Stage 1: TanStack Poisoning (May 11)

TeamPCP first targeted TanStack, a popular frontend framework:

1. Forked the TanStack/router repository
2. Submitted a Pull Request triggering a pull_request_target workflow
3. Poisoned the GitHub Actions cache
4. When maintainer merges triggered the release pipeline, poisoned cache restored attacker-controlled binaries
5. Extracted OIDC tokens directly from runner process memory

This gave TeamPCP the ability to publish packages as TanStack.

Stage 2: Nx Console Poisoning (May 18)

The TanStack compromise reached an Nx Console developer's device, leaking their GitHub credentials. TeamPCP used these to:

1. Push an orphan commit with the obfuscated payload to the nrwl/nx repository
2. Publish v18.95.0 to the VS Code Marketplace using stolen VSCE_PAT

The malicious version executed silently the moment a developer opened any workspace — zero interaction required.

Stage 3: GitHub Falls (May 19-20)

A GitHub employee installed the poisoned Nx Console. The credential stealer immediately harvested:

- GitHub internal tokens
- AWS keys
- npm credentials
- 1Password vault data
- Claude Code configuration files (~/.claude/settings.json)

The attackers used these credentials to move laterally through CI/CD pipelines and ultimately exfiltrate ~3,800 internal repositories.

Mini Shai-Hulud: A Self-Replicating Supply Chain Worm

TeamPCP's real weapon is their supply chain worm, Mini Shai-Hulud (named after the sandworms from Dune). This isn't ordinary malware — it self-propagates:

- Steals developer CI/CD credentials
- Uses stolen credentials to publish infected versions of other packages
- Newly infected packages compromise more developers
- Rinse and repeat

Within 5 hours, Mini Shai-Hulud published over 400 malicious versions across 172 distinct packages. Even more alarming: it includes Sigstore integration to generate valid cryptographic provenance attestations — making poisoned packages appear identical to legitimate releases.

TeamPCP has open-sourced Mini Shai-Hulud under the MIT license. Copycats have already appeared — a new group called PCPJack is conducting independent operations using the same tooling.

The Victim List: AI Industry's Collective Compromise

| Victim | Impact | Source Date |
|--------|--------|-------------|
| GitHub | ~3,800 internal repos exfiltrated, $50,000 ransom demand | [May 20 confirmed] |
| OpenAI | 2 employee devices compromised, partial internal repo credential exfiltration, macOS signing cert revocation on 6/12 | [May 21 confirmed] |
| Mistral AI | npm/PyPI SDKs trojaned, ~5GB source code stolen, $25,000 extortion | [May 22 confirmed] |
| Anthropic | Claude source code reportedly affected (TeamPCP claim) | [May 21 reported] |
| EU Commission | Public website affected | [May 21 reported] |

> ⚠️ Warning
> CISA has added the related vulnerabilities (CVE-2026-45321, CVSS 9.6; CVE-2026-48027, CVSS 9.3) to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate by June 10, 2026.

Why VS Code Extensions Are the Perfect Attack Surface

This attack exposes a systemic problem: the VS Code extension marketplace's trust model is fundamentally fragile.

1. Excessive Permissions: Extensions can access the filesystem, execute arbitrary code, and read environment variables — essentially shell-level access
2. Auto-Updates: Most developers have auto-updates enabled; a poisoned version installs silently in the background
3. Trust Inheritance: Developers trust popular extensions (2.2M installs) and don't review code changes for each update
4. Weak Review: The marketplace's pre-publication review struggles to detect obfuscated malicious code
5. Microsoft's Single-Chain Risk: As XDA's analysis noted, Microsoft owns VS Code, the VS Code Marketplace, GitHub, npm, and Azure — one entry point compromised means the entire chain is at risk

5 Things You Must Do Right Now

1. Check Your Nx Console Version

If you installed or updated Nx Console v18.95.0 between 12:30-12:48 UTC on May 18 and opened a workspace — treat every credential on that machine as compromised.

2. Rotate All Credentials

Immediately rotate:
- GitHub personal access tokens
- npm publish tokens
- AWS access keys
- 1Password master password
- HashiCorp Vault tokens
- Kubernetes kubeconfig
- All API keys stored in .env files

3. Audit VS Code Extensions

<h1>List all installed extensions with versions</h1>
code --list-extensions --show-versions
<h1>Watch for any extensions with suspicious updates between May 11-20</h1>

4. Harden CI/CD Pipelines

- Pin third-party GitHub Actions by SHA, not tags
- Disable pull_request_target workflows or strictly limit their permissions
- Enable 2FA for npm/PyPI publishing

5. Implement Extension Security Policies

- Use VS Code's Extension Bisect to investigate suspicious extensions
- Deploy organization-level extension whitelists
- Use isolated containers/VMs for critical development environments

The Deeper Problem: Developer Trust Is Being Weaponized

The key insight from this attack isn't technical — it's about trust.

Verizon's 2026 DBIR reports that 67% of employees access AI tools through non-corporate accounts. Mandiant's M-Trends 2026 found that time-to-exploit has effectively gone to zero — 28.3% of CVEs are exploited within 24 hours of disclosure, while the average remediation time is 74 days.

Attackers have figured something out: instead of breaking through firewalls, become the tools developers trust. When a VS Code extension has 2.2 million installs, when an npm package has tens of millions of downloads, when a GitHub Action is widely used — they're the perfect Trojan horse.

Every npm install, every code --install-extension, every uses: action@latest — is a trust decision. And TeamPCP proved that trust can be utterly destroyed in 18 minutes.

> ✨ Key Takeaway
> In the age of supply chain attacks, the most dangerous code isn't what you don't trust — it's the tools you trust implicitly. The VS Code Marketplace, npm, PyPI — the "infrastructure" developers rely on daily — are becoming the new attack surface. Trust is no longer free.