Cybersecurity researchers have flagged a compromised model of the Nx Console extension that was printed to the Microsoft Visible Studio Code (VS Code) Market.
The extension in query is rwl.angular-console (model 18.95.0), a well-liked consumer interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has greater than 2.2 million installations. The Open VSX model has not been affected by the incident.
“Inside seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden contained in the official nrwl/nx GitHub repository,” StepSecurity researcher Ashish Kurmi mentioned.
The payload is a “multi-stage credential stealer and provide chain poisoning device” that harvests developer secrets and techniques and exfiltrates them through HTTPS, the GitHub API, and DNS tunneling. It additionally installs a Python backdoor on macOS programs that abuses the GitHub Search API as a useless drop resolver for receiving additional instructions.
In an advisory issued Monday, the maintainers of the extension mentioned the foundation trigger has been traced to considered one of its builders, whose machine was compromised in a latest safety incident that leaked their GitHub credentials. Though the character of the prior “incident” was not disclosed, the developer’s credentials have since been briefly revoked.
The entry afforded by the credentials is alleged to have been abused to push an orphaned, unsigned decide to nrwl/nx, which introduces the stealer malware. The malicious motion is triggered as quickly as a developer opens any workspace in VS Code, resulting in the set up of the Bun JavaScript runtime to run an obfuscated “index.js” payload.
The malware runs checks to keep away from infecting machines seemingly situated within the Russian/CIS time zones and launches itself as a indifferent background course of to kick off the credential harvesting workflow, permitting it to retrieve secrets and techniques from 1Password vaults and Anthropic Claude Code configurations, and secrets and techniques related to npm, GitHub, and Amazon Net Providers (AWS).
“One functionality that stands out: the payload comprises full Sigstore integration, together with Fulcio certificates issuance and SLSA provenance era,” StepSecurity mentioned. “Mixed with stolen npm OIDC tokens, this implies the attacker might publish downstream npm packages with legitimate, cryptographically signed provenance attestations, making the malicious packages seem as reliable, verified builds.”
The Nx workforce additionally acknowledged a “few customers had been compromised” on account of this breach. Moreover urging customers to replace to 18.100.0 or later, the maintainers have printed the next indicators of compromise –
- Nx Console model 18.95.0 was put in in the course of the publicity window between Could 18, 2026, at 2:36 p.m. CEST and a pair of:47 p.m. CEST.
- Presence of recordsdata like ~/.native/share/kitty/cat.py, ~/Library/LaunchAgents/com.consumer.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*.
- Presence of any of the next operating processes: a python course of operating cat.py and a course of with __DAEMONIZED=1 in its atmosphere.
Affected customers are beneficial to terminate the aforementioned processes, delete artifacts on disk, and rotate all credentials reachable from the affected machine, together with tokens, secrets and techniques, and SSH keys.
The event marks the second time the Nx ecosystem has been focused inside a yr. In August 2025, a number of npm packages had been contaminated by a credential stealer as a part of a provide chain assault marketing campaign named s1ngularity. Not like the earlier iteration, the most recent assault targets the VS Code extension.
Malicious npm Packages Galore
The findings coincide with the invention of varied malicious packages within the open-source repositories –
- iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, and ms-graph-types: 5 npm packages containing a hidden ELF binary that backdoors Claude Code classes to steal developer credentials.
- noon-contracts: an npm package deal that impersonates a Midday Protocol sensible contract SDK to exfiltrate SSH keys, crypto pockets personal keys, AWS credentials, Kubernetes secrets and techniques, all .env recordsdata, shell historical past, Docker/Git/npm tokens, and browser pockets storage paths.
- martinez-polygon-clipping-tony: a trojanized fork of martinez-polygon-clipping that makes use of a postinstall hook to obtain a 17MB PyInstaller-packed Home windows distant entry trojan (RAT) that makes use of Telegram for command-and-control (C2) for distant shell execution, screenshot seize, file add/obtain, and arbitrary Python execution.
- common-tg-service: an npm package deal that comprises performance to take over a sufferer’s Telegram account whereas masquerading as “Frequent Telegram service for NestJS purposes.”
- exiouss: an npm package deal that bundles a ChatGPT and OpenAI session cookie stealer focusing on net browsers like Google Chrome, Microsoft Edge, and Courageous.
- k8s-pod-checker, dev-env-setup, and node-perf-utils: three npm packages a part of the kube-health-tools cluster that set up a big language mannequin (LLM) proxy service on the sufferer’s machine, permitting the attacker to route LLM site visitors via the compromised server
- A coordinated credential harvesting marketing campaign orchestrated by an Indonesian-speaking risk actor utilizing a set of 38 npm packages that leverages dependency confusion as a strategy to trick CI/CD pipelines to resolve malicious public packages forward of reliable personal ones related to Apple, Google, and Alibaba, amongst others.
- An uncommon marketing campaign whereby seven npm packages underneath the @hd-team group have been discovered to behave as a stager for configurations utilized by a Chinese language sports activities playing and pirated streaming platform named Douqiu to find out the backend servers to connect with.
