On May 19, GitHub disclosed that it was investigating unauthorized access to internal repositories. TeamPCP claims to have extracted data from roughly 4,000 private repos. The reported vector: a malicious VS Code extension installed on a developer's workstation.

Right now, we don't know which extension or whose machine was impacted. What we do know is that this is yet another case of developer devices being compromised through tooling developers trust implicitly. And we have a clear recent example of exactly how it works.

Official no longer means safe to install immediately

Trust, not sophistication, is what makes attacks like Nx Console, Durable Task Python SDK, and the Mini Shai-Hulud campaign across the AntV ecosystem work. These are not sketchy packages and extensions from unknown publishers. They are tools developers use without thinking twice, precisely because it has the install count, the verified publisher badge, and the marketplace legitimacy that signal safety.

That signal is now the target. High install count means high-value compromise. A verified publisher means developers don't hesitate. Official marketplace means no one thinks to check.

The community is getting better at catching these attacks, however, the attack model accounts for that. It just needs minutes, not days.

How Aikido is solving this problem

Earlier this Spring we released Device Protection, an on-device agent built to protect against threats from packages, extensions, and AI tooling like MCP servers. It combines 2 critical features that stop attacks like Nx Console. ‍

Real-time malware blocking: Device Protection checks each package and extension install, including updates, against Aikido's live malware feed. If an extension is flagged as malware, install is blocked, no exceptions. 

Minimum age blocking: Device Protection includes a configurable minimum age for recently published packages and extensions. By default, any package or extension published within the last 48 hours is blocked before it can be installed on a device. Importantly, minimum age applies to new updates, not just fresh installs. Admins can extend or shorten the window based on their specific risk tolerance for each ecosystem.  Importantly, Aikido Device Protection automatically falls back to the most recently published safe version, so your team is protected, not blocked. 

The Nx Console malicious version was live for 18 minutes. The Durable Task SDK packages were caught within hours of publication. Both fall well inside the 48-hour hold. Under that policy, neither would have reached a developer machine, adding protection beyond the instantaneous malware detection by blocking the attack window itself.

Aikido Device Protection moves enforcement to the device, not the network edge. A developer on a home connection, hotel wifi, or a personal hotspot is outside corporate network controls entirely. Aikido's agent enforces the policy at the workstation itself, wherever it is. 

EDR doesn't see this surface

The Nx Console payload was 2,777 bytes of JavaScript injected into a minified file. The Durable Task SDK was a 28 KB Python script. Neither looks like malware to a binary scanner, because neither is a binary. The Nx Console payload read .env files. So does every developer, dozens of times a day. EDR has no signature to match.

Traditional EDR watches compiled executables for known signatures. VS Code extensions, npm packages, and PyPI distributions are plain-text, interpreted artifacts on a different layer entirely. Aikido monitors that layer: npm, PyPI, VS Code Marketplace, JetBrains, Cursor, Windsurf. It covers that surface specifically because EDR doesn't. The two tools aren't redundant. They watch different things.