// #vs-code

2 articles

TeamPCP's simultaneous compromise of three developer toolchain components — a code-signed installer, an npm package, and a VS Code extension — follows a refined methodology the group has been developing across multiple 2026 campaigns. The technical approach explains why these attacks reach environments that are otherwise well-defended.

May 27, 2026 #teampcp +7

🔬 Assessment

Auditing VS Code Extensions for Supply-Chain Risk: A Practical Assessment Guide

The Nx Console supply-chain compromise in TeamPCP's May 2026 campaign targeted an extension with millions of downloads. With over 60,000 extensions in the VS Marketplace, most organisations have no inventory of which extensions their developers run. This guide covers extension auditing, publisher verification, and policy controls.

May 27, 2026 #vs-code +6

Commentary tagged #vs-code

Opinion

Developer Toolchains Are the New Perimeter — and the Industry Has Not Accepted It

Simultaneous CISA KEV additions for three developer toolchain compromises in one campaign makes the case explicitly: the software supply chain attack surface runs through the tools developers use, not just the code they write. The security industry is still catching up.

CipherWatch Editorial

Security Intelligence Platform

May 27, 2026

TeamPCP 'Mini Shai-Hulud': Inside the Developer Toolchain Attack Campaign Now on CISA KEV

Auditing VS Code Extensions for Supply-Chain Risk: A Practical Assessment Guide

Commentary tagged #vs-code

Developer Toolchains Are the New Perimeter — and the Industry Has Not Accepted It