A widely used Visual Studio Code extension was quietly turned into a credential-stealing tool in May 2026, putting millions of developers at serious risk without warning.
The Nx Console extension, which has over 2.2 million installations, was compromised when attackers published a malicious version to the official VS Code Marketplace.
On May 18, 2026, version 18.95.0 of the Nx Console extension (nrwl.angular-console) was pushed to the marketplace using stolen publishing credentials.
The moment a developer opened any workspace, the extension silently fetched and ran a 498 KB obfuscated payload hidden inside a dangling orphan commit on the official nrwl/nx GitHub repository.
The malicious version was only live for roughly 11 minutes before the Nx team detected and removed it.
Analysts at StepSecurity said in a report shared with Cyber Security News (CSN) that they were quick to identify and document the attack in depth.
Their research revealed that this was a multi-stage supply chain attack, not a one-off intrusion. This also marks the second supply chain incident targeting the Nx ecosystem within a single year.
The payload was a fully capable credential stealer, harvesting tokens and secrets from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password. Stolen data was pushed out through three separate channels: HTTPS, the GitHub API, and DNS tunneling, making it difficult to block any single path.
What made this attack especially dangerous was its reach. The payload also targeted Claude Code configuration files, making it one of the first known supply chain attacks designed to steal credentials from AI coding assistants.
On macOS, it installed a persistent Python backdoor that checked in every hour for new commands, signed with a 4096-bit RSA key.
Nx Console VS Code Extension Compromised
The attack started long before the malicious extension was published. A contributor’s GitHub personal access token was scraped during a separate, earlier supply chain incident, giving the attacker a foothold inside the official repository.
With that token, the attacker pushed an orphan commit to the nrwl/nx repository at 03:18 UTC, a commit with no parent history and no visible branch connection.
The orphan commit replaced the entire repository with just two files, a package.json and an obfuscated index.js payload.
At 12:36 UTC, the attacker used stolen VS Code Marketplace publishing credentials to release version 18.95.0. The malicious code, just 2,777 bytes, was injected into the minified main.js file and activated the moment any workspace opened.
The payload contained full Sigstore integration. Using stolen npm OIDC tokens, the attacker could have published downstream npm packages with valid, cryptographically signed provenance, making malicious packages appear as fully legitimate and verified builds.
Payload Behavior and Exfiltration
Once active, the payload ran six parallel credential collectors targeting a broad range of secrets stored on the developer’s machine.
It queried AWS metadata services, read HashiCorp Vault tokens, scanned npm configuration files, and combed through process memory on Linux using a direct read of /proc/*/mem.
Collected data was encrypted with AES-256-GCM and further wrapped with an RSA public key before being sent out.
The three-channel exfiltration design, using HTTPS, GitHub API abuse, and DNS tunneling, meant the attacker only needed one working path to receive stolen data.
The payload also included anti-analysis tricks, such as skipping execution on machines with fewer than four CPU cores and avoiding Russian or CIS time zones.
These guardrails were designed to keep the malware running in real developer environments while dodging research sandboxes.
Any developer who had version 18.95.0 installed and opened a workspace between 12:36 and 12:47 UTC on May 18 should treat all credentials on that machine as compromised.
Developers are strongly advised to update the Nx Console to version 18.100.0 or later, remove backdoor persistence artifacts, and rotate all credentials including cloud tokens, GitHub personal access tokens, npm tokens, SSH keys, and any secrets stored in .env files.
On macOS, the persistence backdoor at ~/.local/share/kitty/cat.py and its LaunchAgent entry should be removed immediately.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (MD5) | 1a4afce34918bdc74ae3f31edaffffaa0ee07b91 | Malicious VSIX (v18.95.0) |
| File Hash (MD5) | b0cefb66b953e5184b6adb3035e9e267335ac28c | Malicious main.js (in VSIX) |
| File Hash (MD5) | e7347d90653efc565f03733a95e9209d78f9cd15 | Obfuscated payload (index.js from orphan commit) |
| File Hash (MD5) | 43f2b001846c4966073ebffa5be8f15e491a1ffe | Dropper package.json |
| File Hash (MD5) | 228a2cf081d4cbea9b91cde14a8f9c4a4d003fef | Clean VSIX (v18.94.0) |
| File Hash (MD5) | cb86f4f223daa54467c7782a0d8607e9c84e2b51 | Remediated VSIX (v18.100.0) |
| Git Commit SHA | 558b09d7ad0d1660e2a0fb8a06da81a6f42e0b23 | Malicious orphan commit on nrwl/nx |
| Git Tree SHA | ba642fe2c7c65e42dd7f6444b83023dc6827e9a1 | Malicious commit tree |
| Git Blob SHA | acfc3f957a63b4cde93ff645f2b6bf26a8ed1c72 | index.js blob |
| Git Blob SHA | 9d88f040c44b5f4d5f9db15ff89310776c168f41 | package.json blob |
| URL | api.github.com/search/commits?q=firedalazer | Python C2 dead-drop polling endpoint |
| IP Address | 169.254.169.254 | AWS IMDS credential theft endpoint |
| IP Address | 169.254.170.2 | ECS container credential endpoint |
| IP Address | 127.0.0.1:8200 | HashiCorp Vault local endpoint |
| Domain | fulcio.sigstore.dev | Sigstore attestation forgery |
| Domain | rekor.sigstore.dev | Sigstore transparency log abuse |
| URL | bun.sh/install | Runtime installation for persistence |
| File Path | ~/.local/share/kitty/cat.py | Python C2 backdoor |
| File Path | ~/Library/LaunchAgents/com.user.kitty-monitor.plist | macOS persistence (RunAtLoad + hourly) |
| File Path | /tmp/kitty-* | Temporary persistence staging directory |
| File Path | /var/tmp/.gh_update_state | C2 anti-replay state file |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
