One of the biggest supply chain attacks in recent months has hit the AI industry directly. On May 18, hacker group TeamPCP (tracked by Mandiant as UNC6780) compromised Nx Console, a popular VS Code extension with 2.2 million installs — one of the most widely used developer extensions out there.
What Happened
The attack lasted just 18 minutes but was devastatingly effective. During that window, a tampered version of the extension was pushed to all users, harvesting credentials and tokens from development environments. The attackers specifically searched for AI-related configurations, including Claude Code config files.
The damage: 3,800 internal GitHub repositories were stolen. Confirmed victims include OpenAI (two compromised devices), Mistral (one device, plus an extortion attempt), and the European Commission.
How Serious Is This?
Very. The vulnerability was classified as CVE-2026-45321 with a CVSS score of 9.6 out of 10 — near the maximum. The attack highlights a fundamental problem: developers trust their IDE extensions, and these extensions often have broad access to local files, tokens, and configurations.
The fact that attackers specifically targeted Claude Code configurations shows just how valuable AI tool credentials have become. API keys for Claude, GPT-4, or other models are worth real money on the black market.
What You Should Do
If you used Nx Console between May 18 and 19: check your installed extensions, rotate all API keys and tokens, and review your git logs for unusual activity. This applies especially to Claude Code API keys and other AI service credentials.
Sources: