On May 19, GitHub disclosed that it was investigating unauthorized access to internal repositories. TeamPCP claims to have extracted data from roughly 4,000 private repos. The reported vector: a malicious VS Code extension installed on a developer's workstation.
Right now, we don't know which extension or whose machine was impacted. What we do know is that this is yet another case of developer devices being compromised through tooling developers trust implicitly. And we have a clear recent example of exactly how it works.
Just one day earlier, the Nx Console VS Code extension, which has 2.2 million installs, verified publisher status, was briefly backdoored. The malicious version collected credentials silently from the moment a developer opened any workspace. The community, including Aikido Intel, caught it quickly, with the version pulled within 18 minutes on the VS Code Marketplace and 36 minutes on Open VSX.
Official no longer means safe to install immediately
Trust, not sophistication, is what makes attacks like Nx Console, Durable Task Python SDK, and the Mini Shai-Hulud campaign across the AntV ecosystem work. These are not sketchy packages and extensions from unknown publishers. They are tools developers use without thinking twice, precisely because it has the install count, the verified publisher badge, and the marketplace legitimacy that signal safety.
That signal is now the target. High install count means high-value compromise. A verified publisher means developers don't hesitate. Official marketplace means no one thinks to check.
The community is getting better at catching these attacks, however, the attack model accounts for that. It just needs minutes, not days.
How Aikido is solving this problem
Earlier this Spring we released Device Protection, an on-device agent built to protect against threats from packages, extensions, and AI tooling like MCP servers. It combines 2 critical features that stop attacks like Nx Console.
Real-time malware blocking: Device Protection checks each package and extension install, including updates, against Aikido's live malware feed. If an extension is flagged as malware, install is blocked, no exceptions.
Minimum age blocking: Device Protection includes a configurable minimum age for recently published packages and extensions. By default, any package or extension published within the last 48 hours is blocked before it can be installed on a device. Importantly, minimum age applies to new updates, not just fresh installs. Admins can extend or shorten the window based on their specific risk tolerance for each ecosystem. Importantly, Aikido Device Protection automatically falls back to the most recently published safe version, so your team is protected, not blocked.
The Nx Console malicious version was live for 18 minutes. The Durable Task SDK packages were caught within hours of publication. Both fall well inside the 48-hour hold. Under that policy, neither would have reached a developer machine, adding protection beyond the instantaneous malware detection by blocking the attack window itself.
Aikido Device Protection moves enforcement to the device, not the network edge. A developer on a home connection, hotel wifi, or a personal hotspot is outside corporate network controls entirely. Aikido's agent enforces the policy at the workstation itself, wherever it is.
EDR doesn't see this surface
The Nx Console payload was 2,777 bytes of JavaScript injected into a minified file. The Durable Task SDK was a 28 KB Python script. Neither looks like malware to a binary scanner, because neither is a binary. The Nx Console payload read .env files. So does every developer, dozens of times a day. EDR has no signature to match.
Traditional EDR watches compiled executables for known signatures. VS Code extensions, npm packages, and PyPI distributions are plain-text, interpreted artifacts on a different layer entirely. Aikido monitors that layer: npm, PyPI, VS Code Marketplace, JetBrains, Cursor, Windsurf. It covers that surface specifically because EDR doesn't. The two tools aren't redundant. They watch different things.
The community's ability to catch and remove malicious packages is real. For extensions with millions of installs, it's also insufficient. Caught in 18 minutes and prevented exposure are not the same thing. Minimum package and extension ages are the best way to protect your devices from similar attacks today.
You can learn more about Device Protection on the Aikido website or try it out with a free trial account.
