A single poisoned VS Code extension installed on one GitHub employee's machine compromised roughly 3,800 of the company's internal repositories within 48 hours, exposing infrastructure configurations, deployment scripts, and staging credentials. The May 2026 breach, attributed to a financially motivated cybercrime group called TeamPCP, highlights a critical vulnerability in the developer tool ecosystem and raises urgent questions about how AI-powered coding tools like Claude Code are becoming targets for sophisticated attackers.

What Happened During the GitHub Supply Chain Attack?

On May 18, 2026, attackers published a malicious version of Nx Console, a VS Code extension with 2.2 million installs, on the Visual Studio Marketplace. The compromised extension remained live for approximately 18 minutes before the Nx team removed it, but that brief window was enough. The malicious version harvested tokens from multiple critical systems and specifically targeted Claude Code configuration files stored at ~/.claude/settings.json, according to security researchers at StepSecurity.

What made this attack particularly alarming was its scope and speed. In a single 48-hour window, TeamPCP executed coordinated attacks across five different surfaces:

• May 18: The poisoned Nx Console extension harvested credentials from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, with explicit targeting of Claude Code configuration files.
• May 19: The Mini Shai-Hulud worm published 639 malicious npm package versions across 323 packages in Alibaba's @antv ecosystem, representing roughly 16 million weekly downloads.
• May 19: TeamPCP compromised the actions-cool/issues-helper GitHub Actions workflow, redirecting tags to imposter commits that exfiltrated CI/CD credentials.
• May 19: The group compromised durabletask, Microsoft's official Python client for the Durable Task workflow execution framework, publishing three malicious versions to PyPI within a 35-minute window.
• May 20: GitHub publicly confirmed the breach of its internal repositories, which contained infrastructure configurations, deployment scripts, staging credentials, and internal API schemas.

GitHub's statement emphasized that "the activity involved exfiltration of GitHub-internal repositories only," but security experts noted this language understates the severity. Internal repositories at a platform like GitHub contain far more than source code; they hold the keys to the company's entire infrastructure.

Why Is Claude Code Configuration a Target for Attackers?

The specific targeting of Claude Code configuration files reveals how attackers are adapting their strategies to exploit the growing adoption of AI-powered coding tools. Claude Code, Anthropic's native integration with the Claude AI model, stores authentication credentials and settings in plaintext configuration files on developer machines. When a developer installs a malicious extension, that extension gains access to these files and can exfiltrate the credentials stored within them.

This attack pattern is not unique to Claude Code. The broader ecosystem of AI coding tools, including Cursor, Codex, and other OpenAI-compatible platforms, all rely on local credential storage. However, the explicit mention of Claude Code in the Nx Console malware payload suggests that attackers are specifically targeting developers who use Anthropic's tools, likely because those credentials provide access to high-value development environments and CI/CD pipelines.

TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780, has been conducting supply chain attacks against open-source security utilities and AI middleware since at least March 2026. The group has compromised at least seven confirmed waves of the Mini Shai-Hulud worm, hitting tools including Trivy, Checkmarx KICS, LiteLLM, Bitwarden CLI, TanStack, and Mistral before reaching GitHub itself.

Did AI Actually Write the Malware?

Shortly after the breach became public, a spokesperson linked to TeamPCP asserted that Anthropic's Claude was used to create malware components and facilitate stages of the intrusion. This claim generated significant attention in the security community, but it remains unverified. No independent security firm, including Palo Alto Networks Unit 42, StepSecurity, Endor Labs, Snyk, Trend Micro, or ReversingLabs, has confirmed that AI authored the TeamPCP toolchain.

However, the Cloud Security Alliance's research note on the group acknowledged that the claim is "consistent with the observed campaign sophistication and rapid operational tempo and underscores the emerging risk of AI-assisted offensive tooling development". What security researchers have confirmed is that the Mini Shai-Hulud worm evolved through three distinct payload versions within hours of deployment, suggesting either rapid human iteration or AI-assisted development cycles.

"The attestation proves where the package was built. It does not prove the build was authorized," noted Endor Labs researchers analyzing how the worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates.

Endor Labs Security Research Team

By May 22, 2026, Wired reported that TeamPCP had executed 20 distinct attack waves in 2026 alone, with Socket confirming that the group's open-sourced worm code was already spawning copycat variants. Whether a language model accelerated that pace or not, the output demonstrates the operational sophistication of modern supply chain attacks.

How to Protect Claude Code and AI Coding Tools From Supply Chain Attacks

• Restrict VS Code Extension Installation: Limit which extensions can be installed on developer machines, and require security review before adding new extensions to your organization's approved list. The Nx Console breach demonstrates how trusted tools with millions of installations can be compromised at the source.
• Rotate Claude Code Credentials Regularly: If you use Claude Code or other AI coding tools, rotate your API keys and authentication tokens on a regular schedule. Store credentials in secure credential managers rather than plaintext configuration files, and monitor access logs for unauthorized token usage.
• Monitor CI/CD Credential Exfiltration: Implement runtime monitoring for suspicious access to CI/CD credentials, cloud provider tokens, and password manager integrations. The Mini Shai-Hulud worm specifically targets these high-value secrets, so detection systems should flag any unexpected credential access from development tools.
• Audit Extension Permissions and Behavior: Review the permissions requested by VS Code extensions before installation, and use network monitoring to detect extensions that attempt to exfiltrate files or credentials to external domains. The Nx Console malware was detected because it accessed ~/.claude/settings.json and transmitted the contents to attacker-controlled servers.
• Implement Sigstore Verification: While the Mini Shai-Hulud worm learned to forge Sigstore certificates, organizations should still implement package verification workflows that check not just the signature validity but also the authorization of the build that produced the package.

The GitHub breach and the broader TeamPCP campaign reveal a fundamental tension in the modern development ecosystem. Developers rely on open-source tools and AI-powered coding assistants to work efficiently, but each tool represents a potential attack surface. The targeting of Claude Code configuration files suggests that as AI coding tools become more prevalent, attackers will continue to adapt their strategies to exploit the credentials and configurations these tools store locally.

For teams using Claude Code or similar AI-powered development tools, the lesson is clear: the convenience of local credential storage comes with significant security risk. Organizations should treat AI coding tool credentials with the same rigor they apply to CI/CD secrets, cloud provider tokens, and password manager access. The 48-hour window in which TeamPCP compromised five different surfaces demonstrates that attackers are moving faster than ever, and the margin for error in credential management has shrunk to nearly zero.