—

Nx Console VS Code Extension Hit by Supply Chain Attack

Cybersecurity researchers have flagged a compromised version of the Nx Console extension published to the Microsoft Visual Studio Code Marketplace. The extension in question — rwl.angular-console version 18.95.0 — has more than 2.2 million installations and serves as a popular user interface for Nx monorepo management across VS Code, Cursor, and JetBrains editors. The Open VSX version was not affected by the incident.

Attack Delivery

According to research by StepSecurity, within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository. The payload is a multi-stage credential stealer and supply chain poisoning tool that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling.

The malware also installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further commands — a technique that hides command-and-control traffic inside legitimate API calls to a trusted platform. By using GitHub’s own API as a communication channel, the malware avoids standing out in network traffic logs where calls to github.com are ubiquitous and rarely scrutinized.

The delivery mechanism is particularly insidious. The attacker did not upload a malicious package to the marketplace. Instead, they used compromised developer credentials to push an orphaned, unsigned commit to the legitimate nrwl/nx repository. The extension itself remained clean — it was the runtime behavior of fetching and executing content from that seemingly-legitimate repository that delivered the payload. This makes detection significantly harder, as neither static analysis of the extension nor repository scanning would flag the threat in isolation. Security tools would see a popular extension fetching content from its own official repository — behavior that looks entirely normal.

Root Cause

The Nx maintainers traced the root cause to one of their developers whose machine was compromised in a prior security incident that leaked their GitHub credentials. Although the nature of the incident was not disclosed, the credentials have since been temporarily revoked. The access was abused to push an orphaned, unsigned commit to the nrwl/nx repository containing the stealer malware.

The malicious action triggers immediately upon opening any workspace in VS Code. The extension installs the Bun JavaScript runtime to execute an obfuscated index.js payload. Before harvesting, the malware runs geo-fencing checks to avoid infecting machines likely located in Russian and CIS time zones — a common tactic among Eastern European threat actors documented in earlier supply chain campaigns targeting developer tooling.

What It Steals and Does

The credential harvesting workflow targets sensitive data from 1Password vaults, Anthropic Claude Code configurations, and secrets associated with npm, GitHub, and Amazon Web Services (AWS). The scope makes it particularly dangerous for developers who use Claude Code for AI-assisted development or store infrastructure credentials in 1Password. A compromised Claude Code configuration could expose not just API keys but entire conversation histories, project contexts, and code generation patterns.

One capability that distinguishes this attack is its full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, this means the attacker could publish downstream npm packages with valid, cryptographically signed provenance attestations — making malicious packages appear as legitimate, verified builds. This is a significant escalation in supply chain attack sophistication, as it weaponizes the very security infrastructure designed to prevent package tampering. A developer reviewing supply chain security would see green provenance badges and assume the package is safe, while the attacker’s code runs with full access to the victim’s environment.

The Sigstore abuse is especially dangerous because it targets a trust mechanism that the industry has been actively promoting as a solution to supply chain attacks. If provenance attestations can be generated for malicious packages using stolen credentials, the security guarantee collapses.

This attack continues a troubling pattern in the developer tooling ecosystem. NGINX CVE-2026-42945 demonstrated how long-dormant vulnerabilities in foundational infrastructure can be exploited at scale once discovered. And earlier this year, CISA flagged Cisco SD-WAN CVE-2026-20182 as actively exploited, highlighting how quickly weaponized vulnerabilities propagate through enterprise networks when the attack surface includes developer workstations.

Mitigation and Response

The Nx team acknowledged that “a few users were compromised” as a result of this breach. Users are urged to update to version 18.100.0 or later immediately. The maintainers have published indicators of compromise including process names, file paths, and network signatures to help security teams identify affected machines.

Affected users should terminate all identified malicious processes, delete artifacts on disk, and rotate all credentials reachable from the affected machine — including npm tokens, GitHub personal access tokens, AWS access keys, 1Password master passwords, and Claude Code API keys. For organizations with multiple developers using Nx Console, the blast radius could span entire CI/CD pipelines if any affected machine held deployment credentials or service account tokens.

The incident underscores a growing risk in the developer tooling supply chain: popular IDE extensions with millions of installs represent high-value targets for credential theft. Unlike package dependencies that can be pinned and audited through lockfiles and SBOMs, IDE extensions often auto-update silently and run with full filesystem and network access. Two-factor authentication on package registries offers limited protection when the attacker already possesses valid OIDC tokens and can sign packages with legitimate provenance attestations. The Sigstore integration in this attack demonstrates that security infrastructure, when turned against its intended purpose, can become a powerful tool for making malicious artifacts appear trustworthy — a lesson the industry will need to reckon with as supply chain security standards evolve.