Cybersecurity researchers reported a compromised version of the Nx Console extension published to the Microsoft Visual Studio Code (VS Code) marketplace.
The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors such as VS Code, Cursor, and JetBrains. Over 2.2 million VS Code extensions are installed. Open VSX versions are not affected by this incident.
“Within seconds of a developer opening a workspace, the compromised extension silently retrieved and executed a 498KB obfuscated payload from an unresolved orphan commit hidden within the official nrwl/nx GitHub repository,” said StepSecurity researcher Ashish Kurmi.
The payload is a “multi-step credential stealer and supply chain poisoning tool” that collects developer secrets and leaks them via HTTPS, GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems that exploits the GitHub Search API as a dead drop resolver to receive further commands.
In an advisory issued Monday, the extension’s administrators said the root cause was traced to one of its developers, whose machine was compromised in a recent security incident in which GitHub credentials were compromised. The details of the previous “incident” have not been disclosed, but the developer’s credentials have since been temporarily revoked.
The access provided by this credential was allegedly exploited to push orphaned, unsigned commits to nrwl/nx, thereby introducing stealer malware. This malicious action is triggered as soon as a developer opens a workspace in VS Code and installs the Bun JavaScript runtime, which executes an obfuscated “index.js” payload.
The malware performs checks to avoid infecting machines that may be located in the Russia/CIS time zone, launches itself as a separate background process, and initiates a credential collection workflow that allows it to retrieve secrets from the 1Password vault and Anthropic Claude Code settings, as well as secrets associated with npm, GitHub, and Amazon Web Services (AWS).
“One of the standout features is that the payload includes full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation,” StepSecurity said. “This means that when combined with a stolen npm OIDC token, an attacker can expose downstream npm packages with valid cryptographically signed provenance certificates, making malicious packages appear to be legitimate, verified builds.”
The Nx team also acknowledged that “a small number of users were compromised” as a result of this breach. In addition to urging users to update to 18.100.0 or later, maintainers have published the following indicators of compromise:
Nx Console version 18.95.0 was installed during the exposure period from 2:36 PM CEST to 2:47 PM CEST on May 18, 2026. Presence of files such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*. There are one of the following running processes: a Python process running cat.py and a process with __DAEMONIZED=1 in its environment.
Affected users are encouraged to terminate the aforementioned processes, remove artifacts on disk, and rotate all credentials reachable from the affected machine, including tokens, secrets, and SSH keys.
This development marks the second time in the past year that the Nx ecosystem has been targeted. In August 2025, several npm packages were infected with a credential stealer as part of a supply chain attack campaign called s1ngularity. Unlike previous attacks, the latest attack targets VS Code extensions.
Too many malicious npm packages
This discovery coincided with the discovery of various malicious packages in open source repositories.
Iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, and ms-graph-types: 5 npm packages containing hidden ELF binaries that backdoor the Claude code session and steal developer credentials. noon-contracts: An npm package that impersonates the Noon Protocol smart contract SDK and leaks SSH keys, crypto wallet private keys, AWS credentials, Kubernetes secrets, all .env files, shell history, Docker/Git/npm tokens, and browser wallet storage paths. martinez-polygon-clipping-tony: Trojanized fork of martinez-polygon-clipping. Downloads a 17 MB PyInstaller pack Windows Remote Access Trojan (RAT) that uses Telegram for command and control (C2) for remote shell execution, screenshot capture, file upload/download, and arbitrary Python execution using post-installation hooks. common-tg-service: npm package containing functionality to take over a victim’s Telegram account while masquerading as “Common Telegram Service for NestJS Applications”. exiouss: npm package that bundles ChatGPT and OpenAI session cookie stealer targeting web browsers such as Google Chrome, Microsoft Edge, and Brave. k8s-pod-checker, dev-env-setup, node-perf-utils: Three npm packages that are part of the kube-health-tools cluster install a Large-Scale Language Model (LLM) proxy service on the victim machine, allowing the attacker to route LLM traffic through the compromised server. A credential harvesting campaign coordinated by an Indonesian-speaking attacker using a set of 38 npm packages that exploit dependency confusion. How to trick a CI/CD pipeline to resolve malicious public packages before legitimate private packages associated with Apple, Google, Alibaba, and more. An unusual campaign in which seven npm packages belonging to the @hd-team organization were found to act as stagers for the configuration used by a Chinese sports gambling and pirated streaming platform named Douqiu to determine which backend servers to connect to.
Source link
