GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise

A poisoned VS Code extension (Nx Console) and malicious TanStack npm package releases—attributed to TeamPCP and the Mini Shai-Hulud self-replicating worm—were used to harvest credentials (tokens, cloud and package credentials, secrets managers) and pivot through CI/CD pipelines, leading to the exfiltration of around 3,800 private GitHub repositories and impacting organizations including GitHub and Grafana Labs.