A malicious update of the Nx Console extension (v18.95.0) was published to the VS Code Marketplace. The compromised package fetched an obfuscated payload that steals developer secrets, installs a Python backdoor, and can forge signed npm packages. Users should upgrade, remove artifacts, and rotate credentials.
A malicious Nx Console update slipped into the VS Code Marketplace
On May 18 2026, the rwl.angular-console extension (version 18.95.0) – a UI layer for the Nx build system used by more than 2.2 million developers – was replaced with a tampered package. Within seconds of opening any workspace, the extension downloaded a 498 KB obfuscated JavaScript payload from an orphan commit hidden in the official nrwl/nx GitHub repository.
“The payload is a multi‑stage credential stealer and supply‑chain poisoning tool that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling,” explains Ashish Kurmi, senior researcher at StepSecurity.
The malicious code silently installs the Bun runtime, launches a detached background process, and begins harvesting tokens from 1Password, Anthropic Claude, npm, GitHub, and AWS. It also drops a Python backdoor on macOS that uses the GitHub Search API as a dead‑drop resolver for further commands.
How the attacker got in
The breach traces back to a single developer on the Nx team whose personal GitHub credentials were compromised in an earlier, undisclosed incident. With those credentials, the attacker pushed an unsigned, orphaned commit to the public nrwl/nx repository. Because the extension pulls its source directly from that repo, the malicious commit was bundled into the published VS Code package.
What the malware can do
| Capability | Description |
|---|---|
| Credential harvesting | Reads 1Password vaults, Claude Code configs, npm OIDC tokens, GitHub PATs, AWS keys, and more. |
| Sigstore integration | Generates Fulcio certificates and SLSA provenance, allowing the attacker to publish signed malicious npm packages that appear legitimate. |
| Persistence | Installs a Python daemon (cat.py) and a launch agent (com.user.kitty-monitor.plist) on macOS. |
| Command‑and‑control | Uses HTTPS, GitHub API, and DNS tunneling; the Python backdoor also polls the GitHub Search API for commands. |
| Geofencing | Skips machines in Russian/CIS time zones to avoid early detection. |
Indicators of compromise (IOCs)
- Installation of Nx Console 18.95.0 between 14:36 – 14:47 CEST on May 18 2026.
- Files such as
~/.local/share/kitty/cat.py,~/Library/LaunchAgents/com.user.kitty-monitor.plist,/var/tmp/.gh_update_state, or any/tmp/kitty-*. - Running processes containing
cat.pyor an environment variable__DAEMONIZED=1.
Immediate remediation steps
- Upgrade: Remove version 18.95.0 and install Nx Console 18.100.0 or later from the official Marketplace.
- Terminate malicious processes and delete the files listed above.
- Rotate every credential that may have been present on the infected machine – PATs, SSH keys, npm tokens, AWS keys, 1Password vaults, Claude API keys, etc.
- Audit your CI/CD pipelines for any newly published npm packages that carry valid Sigstore attestations; verify provenance against your own signing keys.
- Enable two‑factor authentication on all GitHub accounts and consider using hardware‑based security keys for developer accounts.
Why this matters for the broader developer ecosystem
The incident is the second major supply‑chain attack on the Nx ecosystem within a year. In August 2025, the s1ngularity campaign compromised several npm packages with a similar credential‑stealing payload. The current attack shifts the vector from npm to a VS Code extension, demonstrating how attackers are hunting for the most trusted entry points in a developer’s toolchain.
“When a developer installs a tool that has millions of downloads, they implicitly trust the publisher. That trust can be abused to compromise the entire development pipeline,” notes Dr. Lina Mendoza, director of application security at CloudSec Labs.
Related malicious npm activity
The breach coincides with a wave of tainted packages discovered in public registries:
- iceberg‑javascript, supabase‑javascript, auth‑javascript – each hides an ELF binary that backdoors Claude Code sessions.
- noon‑contracts – exfiltrates SSH keys, crypto wallets, AWS credentials, and
.envfiles. - martinez‑polygon‑clipping‑tony – a post‑install hook downloads a 17 MB PyInstaller‑packed RAT that talks to Telegram C2.
- exiouss – steals browser cookies for ChatGPT and OpenAI sessions.
- k8s‑pod‑checker, dev‑env‑setup, node‑perf‑utils – install an LLM proxy to route AI traffic through the attacker’s server.
These packages illustrate a coordinated credential‑harvesting campaign by an Indonesian‑speaking threat actor leveraging dependency‑confusion tricks to hijack CI/CD pipelines.
Best‑practice checklist for developers
- Pin extensions to a known‑good version and enable automatic updates only after a manual review.
- Use a private npm registry or scoped packages for internal code to reduce exposure to public‑registry attacks.
- Validate Sigstore provenance against your own signing keys before accepting new package versions.
- Monitor network traffic for unexpected DNS queries to suspicious domains and for outbound connections to GitHub’s API from non‑developer machines.
- Implement secret‑scanning in repositories (GitGuardian, TruffleHog) and enforce least‑privilege token scopes.
Stay protected – Keep your development tools up to date, regularly rotate secrets, and treat every third‑party extension as a potential attack surface.
Comments
Please log in or register to join the discussion