On May 18, a poisoned VS Code extension sat on an employee’s machine inside GitHub for 11 minutes. In that window, it exfiltrated credentials, scanned 1Password vaults, and walked out with ~3,800 internal repositories. The threat actor listed the haul on a cybercrime forum with a $50,000 floor price. Here’s the part no one’s talking about: the policy control that would have blocked this — AllowedExtensions — shipped in VS Code 1.96 in November 2024. That’s 18 months before the breach. GitHub, a Microsoft subsidiary running Microsoft’s own IDE, wasn’t enforcing it. If they couldn’t get this right, what do your clients’ developer fleets look like?
What happened
The Nx Console extension (nrwl.angular-console, 2.2 million installs) was compromised after a maintainer’s GitHub token was stolen in the downstream wake of the TanStack supply chain attack. Version 18.95.0 was published to the VS Code Marketplace with 2,777 bytes of injected code hidden in the minified main.js. On workspace open, it silently executed an npx command fetching a 498 KB payload from a dangling orphan commit on the official nrwl/nx repository — disguised as routine MCP setup. The payload harvested GitHub tokens, npm credentials, AWS keys, 1Password vaults, and Anthropic Claude Code configs. It installed a persistent Python backdoor using the GitHub Search API as dead-drop C2. The extension was pulled after 11-18 minutes. By then, ~3,800 GitHub internal repos were exfiltrated. CISA added both the TanStack (CVE-2026-45321, CVSS 9.6) and Nx Console (CVE-2026-48027, CVSS 9.3) flaws to the Known Exploited Vulnerabilities catalog with a June 10 remediation deadline for federal agencies.
Why operators should care
VS Code extensions auto-update by default. This is the right call for security patching in the abstract — most developers never update manually, and stale extensions carry known vulnerabilities. But auto-update with no publisher review gate means a compromised extension update lands on every machine running it, instantly. The VS Code Marketplace doesn’t impose a waiting period between publish and client pull. In the Nx Console incident, the malicious version was pushed, pulled, executed, and done harvesting credentials before most security teams had finished their morning coffee. The structural problem: the IDE is the new endpoint. Extensions run with a developer’s full privileges — source trees, environment variables, SSH keys, cloud credentials, package registry tokens. Legacy EDR doesn’t see an extension downloading a payload and executing shell commands because that looks like normal developer behavior. Even System Center and traditional endpoint management tools have no native visibility into VS Code extension inventory. If you’re managing developer endpoints with the same tooling you use for finance workstations, you’re blind to this vector.
The missed signal
The policy control that blocks this — AllowedExtensions — has existed since VS Code 1.96 (November 2024). It’s a simple whitelist: you declare which publishers or extension IDs are permitted, and everything else is greyed out in the marketplace. It works on Windows (ADMX Group Policy or registry), macOS (.mobileconfig), and Linux (policy.json). Microsoft documented it. Third-party consultants blogged about it. Intune remediation scripts exist. But GitHub — the company that builds the collaboration layer most of the world’s code flows through — didn’t enforce it on its own employees. The policy framework wasn’t missing. The enforcement was. And that’s the operational lesson: having the policy knob isn’t the same as turning it. Every MSP and IT team that manages developer endpoints should treat this as a compliance signal — if the world’s largest code-hosting platform wasn’t enforcing its own IDE’s extension policy, your clients almost certainly aren’t either. The gap isn’t technical. It’s operational.
What to do next
1. Deploy AllowedExtensions via Intune this week. The simplest path is a PowerShell remediation script that sets a registry key. Jörgen Nilsson’s script at ccmexec.com is battle-tested: create HKLM:\SOFTWARE\Policies\Microsoft\VSCode\AllowedExtensions with value {"microsoft" :true} as a starting whitelist (allows all Microsoft-published extensions). For stricter environments, whitelist specific extension IDs only. Deploy as a device configuration profile, not a user script — it needs to land before the user opens VS Code.
2. Set UpdateMode to “none” on locked-down workstations. If you already manage third-party application updates through PatchMyPC, Enterprise App Management, or Robopack, suppress VS Code’s built-in updater. Users without local admin can’t act on update prompts anyway, and leaving auto-update on means a compromised extension update reaches the machine before your patch cycle catches it.
3. Inventory what’s already installed. Before enforcing a whitelist, audit existing extensions across your fleet. VS Code stores extensions in %USERPROFILE%\.vscode\extensions on Windows. A one-line PowerShell inventory script run via Intune proactive remediation gives you a baseline in under an hour. Flag any extension with fewer than 10,000 installs or an unverified publisher badge.
4. Add the Copilot and MCP guardrails. The breach used MCP setup as disguise, and the credential stealer specifically targeted Claude Code and Copilot configs. The newer enterprise policies — ChatToolsAutoApprove, ChatMCP, ChatAgentExtensionTools — control whether agent extensions can execute tools without user approval. Set ChatToolsAutoApprove to disabled (no YOLO mode) and ChatMCP to restrict MCP server access to an explicit allowlist. These policies are newer and less widely documented, but they close the exact attack path TeamPCP exploited.
5. Rotate credentials that live on developer machines. Assume any token, key, or secret reachable from a VS Code workspace is within blast radius of a malicious extension. Rotate on a risk-weighted schedule: package registry tokens first (npm, PyPI), then cloud provider keys (AWS, Azure), then Git credentials. The Nx Console stealer specifically hunted 1Password vault files — if your developers use a password manager CLI, those session tokens are in scope.
The CISA deadline for federal agencies is June 10. For everyone else, the timeline is: before your next security audit asks why a policy that shipped in 2024 still isn’t enforced.
