Nx Console 18.95.0 Compromised VS Code Developers with Credential Stealer
Cybersecurity researchers have flagged a vulnerable version of the Nx Console extension that was published on the Microsoft Visual Studio Code (VS Code) Marketplace.
The extension in question is rwl.angular-console (version 18.95.0), a popular interface and plugin for code editors such as VS Code, Cursor, and JetBrains. The VS Code extension has over 2.2 million installs. The Open VSX version was not affected by the incident.
“Within seconds of a developer opening any workstation, the vulnerable extension silently downloaded and executed a cryptic 498 KB payload in a dangling orphaned commit hidden in the official nrwl/nx GitHub repository,” said StepSecurity researcher Ashish Kurmi.
The payload is a “multi-step authentication theft and poisoning tool” that harvests developer secrets and exposes them via HTTPS, GitHub API, and DNS tunneling. It also includes a Python backdoor in macOS applications that abuses the GitHub Search API as a drop-in solution for finding other commands.
In an advisory issued Monday, the extension’s maintainers said the cause was traced to one of its developers, whose machine was compromised in a recent security incident that leaked their GitHub credentials. Although the nature of the earlier “incident” was not disclosed, the developer’s credentials have since been temporarily revoked.
The access provided by the credentials is said to be abused to push an orphaned promise, unregistered in nrwl/nx, that introduces stealthy malware. A malicious action is triggered as soon as a developer opens any workspace in VS Code, resulting in the Bun JavaScript runtime being installed to continue loading the “index.js” payload.
The malware uses checks to avoid infecting machines that may be located in Russian/CIS time zones and launches itself as a separate background process to initiate a harvest authentication workflow, allowing it to obtain secrets from 1Password vaults and Anthropic Claude Code configurations, as well as secrets associated with npm, GitHub, and Amazon Web Services (AWS).
“One outstanding capability: the payload contains full Sigstore integration, including Fulcio certification and SLSA generation,” StepSecurity said. “Combined with stolen npm OIDC tokens, this means an attacker can publish npm packages below with proof of a legitimate, privately signed name, making malicious packages appear as legitimate, verified builds.”
The Nx team also acknowledged that “a number of users were compromised” due to this breach. Besides encouraging users to update to 18.100.0 or later, the maintainers have published the following compromise pointers –
- Nx Console version 18.95.0 was included in the release window between May 18, 2026, at 2:36 pm CEST and 2:47 pm CEST.
- Existence of files like ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*.
- The presence of any of the following processes running: python process running cat.py and a process with __DAEMONIZED=1 in its environment.
Affected users are advised to terminate the aforementioned processes, remove artifacts from disk, and rotate all credentials accessible from the affected machine, including tokens, secrets, and SSH keys.
This development marks the second time the Nx ecosystem has been targeted within a year. In August 2025, several npm packages were compromised by a hacker as part of an attack campaign called s1ngularity. Unlike previous iterations, the latest attack targeted the VS Code extension.
Malicious npm packages Galore
The findings are consistent with the discovery of various malicious packages in open source repositories –
- iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, and ms-graph types: Five npm packages contain hidden ELF binaries with Claude code sessions to steal developer information.
- noon contracts: an npm package that emulates the Noon Protocol SDK smart contract for extracting SSH keys, crypto wallet private keys, AWS credentials, Kubernetes secrets, all .env files, shell history, Docker/Git/npm tokens, and browser wallet methods.
- martinez-polygon-clipping-tony, a generated fork of martinez-polygon-clipping that uses an install hook to download a 17MB PyInstaller-packed Windows access Trojan (RAT) that uses Telegram for command and control (C2) remote shell execution, screenshot capture, screenshot upload, file upload.
- common-tg-service: an npm package that contains functionality to take over a victim’s Telegram account while masquerading as “Common Telegram Service for NestJS applications.”
- exiouss: an npm package that includes ChatGPT and OpenAI session cookie theft targeting web browsers such as Google Chrome, Microsoft Edge, and Brave.
- k8s-pod-checker, dev-env-setup, and node-perf-utils: three npm packages that are part of the kube-health-tools collection install a proxy service for the large language model (LLM) on the victim’s machine, allowing the attacker to route LLM traffic through the compromised server.
- A coordinated certificate harvesting campaign orchestrated by an Indonesian-speaking threat actor using a set of 38 npm packages causes dependency confusion as a way to trick CI/CD pipelines into resolving malicious public packages before official secret ones associated with Apple, Google, and Alibaba, among others.
- An unusual campaign in which seven npm packages under the @hd-team organization were found to work as a configuration platform used by a Chinese sports gambling and fake live streaming platform called Douqiu to determine which backend servers to connect to.
