What changed#
SANS ISC reports that the TeamPCP supply-chain campaign has expanded across three package ecosystems in parallel. The reported activity through 2026-05-24 includes a malicious VS Code extension build tied to a GitHub internal breach, trojanized versions of an officially Microsoft-published Python SDK on PyPI, and a large npm wave through the @antv ecosystem.
The common thread is not only package compromise. It is trust-path compromise.
In each case, the malicious activity moved through surfaces developers are trained to trust: verified publishers, official package ownership, popular dependencies, auto-update behavior, and package-manager UI signals. That makes the campaign more dangerous than a simple typosquatting run. The attacker does not need every target to make a bad judgment. In some cases, the normal update path appears to have been enough.
SANS describes three escalations in a single week:
- a malicious Nx Console VS Code extension build that GitHub’s CISO publicly named as the root of an internal breach;
- malicious versions of Microsoft’s Azure Durable Functions Python client on PyPI;
- a third Mini Shai-Hulud wave through @antv npm packages, with hundreds of malicious package versions.
The details below should be read with the usual caveat for fast-moving incident reporting: some counts and impact statements come from public reporting and vendor statements cited by SANS. The useful response is not panic. It is exposure review.
The GitHub case: a trusted extension path failed#
According to the SANS write-up, GitHub CISO Alexis Wales publicly named a malicious Nx Console VS Code extension build as the root of an intrusion that exfiltrated approximately 3,800 GitHub-internal repositories. The affected build was identified as v18.95.0, published under nrwl.angular-console, with a verified-publisher badge and roughly 2.2 million installs.
The malicious extension was reportedly live in the Visual Studio Marketplace for about 18 minutes.
That short window is still enough in a world of auto-updates. SANS reports that on a GitHub employee endpoint, the extension auto-updated during the window, exfiltrated developer secrets, and was then used to move laterally through GitHub’s internal CI/CD. Public reporting cited in the source says no customer-tenant data was affected.
The same section of the SANS item links this event to earlier TeamPCP activity. It says reporting ties OIDC credentials harvested in the May 11 TanStack wave to the Nx Console publish on May 18. If accurate, that makes this a multi-stage supply-chain operation: credentials stolen in one wave were later used to publish through a legitimate extension channel.
OpenAI, Grafana Labs, and Mistral AI were named as downstream victims whose developers had auto-update enabled, according to the source material.
The practical lesson is narrow but important. A verified-publisher badge tells you something about the publisher account. It does not prove that every future publish event is clean. A legitimate account can still be abused.
The Microsoft PyPI package: official ownership did not prevent compromise#
SANS also reports that three malicious versions of Microsoft’s official Azure Durable Functions Python client were published to PyPI on 2026-05-19. The affected package is described as the durabletask client, with roughly 417,000 monthly downloads. The affected versions were 1.4.1 through 1.4.3.
The window was short. SANS says the versions were published and then yanked within hours, with the trojanization occurring inside an approximately 35-minute window.
The impact model is still severe. The source says the dropper was injected into the package’s Python source files, meaning that importing the SDK was enough to execute the malicious code. That matters for CI/CD and ephemeral runners. A package does not need to be used in production for the import path to expose secrets.
SANS says the second-stage payload is characterized by independent reporting as a credential stealer and worm targeting AWS, Azure, GCP, HashiCorp Vault, 1Password, and Bitwarden. The same reporting characterizes the second stage as carrying a Linux disk wiper. That last point should not be overstated beyond the source, but it raises the risk profile from credential theft alone toward possible destructive behavior.
For defenders, the operational line is simple: if an environment installed or imported durabletask versions 1.4.1, 1.4.2, or 1.4.3 on 2026-05-19, treat that environment as exposed until reviewed. That includes local developer machines, build workers, short-lived CI runners, containers, and cached dependency layers.
The @antv npm wave: scale and UI trust signals#
The third reported escalation is a Mini Shai-Hulud wave through the @antv npm ecosystem.
SANS cites independent counts of 639 malicious versions across 323 packages, published through a compromised maintainer account named atool. The affected set reportedly included high-usage packages such as echarts-for-react, with roughly 1.1 million weekly downloads, and size-sensor, with roughly 4.2 million weekly downloads.
The source describes this as the largest single burst by package count in the campaign so far.
The payload is described as an obfuscated JavaScript payload of roughly 499 KB that runs during package activity and harvests more than 20 credential classes, including GitHub and npm tokens and cloud keys. The provided source material is truncated before the full credential list, so it is better not to infer more than that.
One detail deserves attention: SANS says 42 of the malicious packages were observed displaying fake Sigstore verification badges in the npm UI. If confirmed in the way described, this is another example of the campaign attacking not only packages, but the reader’s trust model. Users do not parse every tarball. They look for names, badges, publishers, install counts, and familiar dependency chains. The attacker appears to understand that.
What defenders should check now#
Teams should avoid treating this as one ecosystem’s problem. The reported activity spans VS Code extensions, PyPI, and npm. The shared exposure is developer identity, CI/CD secrets, package-publishing rights, and cloud credentials.
Practical checks:
- Review installs of Nx Console v18.95.0, especially on systems with auto-update enabled during the reported window.
- Review any environment that installed or imported
durabletaskversions 1.4.1, 1.4.2, or 1.4.3 on 2026-05-19. - Review dependency logs for @antv packages affected in the 2026-05-19 wave, especially packages pulled by CI rather than committed lockfiles.
- Rotate developer and CI/CD credentials that may have been exposed during the relevant windows.
- Check GitHub, npm, cloud, Vault, 1Password, and Bitwarden-related secrets for unusual access or new tokens.
- Inspect AI coding agent configuration files and developer automation configs for persistence mechanisms, as SANS specifically calls this out.
- Audit package-publishing accounts for new tokens, changed maintainers, unexpected OIDC trust relationships, and recent publish events.
The defensive mistake would be to focus only on whether a package is still live. Yanked packages can remain in caches, build layers, mirrors, and developer machines. A short malicious window can still produce durable credential compromise.
What not to overclaim#
There are several things this reporting does not prove by itself.
It does not mean every user of Nx Console, durabletask, or @antv packages was compromised. Exposure depends on version, timing, install path, execution path, and local secrets available to the process.
It does not mean verified publishers or package attestations are useless. It means they are not install-time guarantees of safety. They reduce some classes of risk and leave others open, especially when the publisher account or release path is compromised.
It also does not mean every downstream named organization had the same level of impact. The source names downstream victims in the context of developers with auto-update enabled. The exact scope per organization should be left to their own statements.
The campaign’s direction is still clear. TeamPCP is not only pushing malicious code. It is chaining prior credential theft into later trusted publishes, crossing ecosystems, and abusing the normal machinery of developer work.
The right response is not to abandon package managers. It is to stop treating trust badges, official ownership, and popularity as final answers. In this campaign, those are part of the attack surface.