Cybersecurity researchers have uncovered a supply chain attack targeting developers using the **Nx Console** extension in **Microsoft**'s **VS Code** Marketplace. ### Compromised Extension Details The affected extension is `rwl.angular-console` (version 18.95.0), a popular tool with over 2.2 million installations for code editors like **VS Code**, Cursor, and JetBrains. The Open VSX version remains unaffected. According to **StepSecurity** researcher Ashish Kurmi, "Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository."  ### Payload and Exfiltration Techniques The payload is described as a "multi-stage credential stealer and supply chain poisoning tool" that exfiltrates developer secrets via HTTPS, the GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems, leveraging the GitHub Search API for command-and-control (C2) communications. ### Root Cause and Mitigation The maintainers of the extension have attributed the breach to a compromised developer machine, leading to leaked GitHub credentials. These credentials were used to push an orphaned, unsigned commit containing the malware to the `nrwl/nx` repository. The malicious code is triggered when a developer opens a workspace in **VS Code**, installing the Bun JavaScript runtime to execute an obfuscated "index.js" payload. The malware avoids infecting machines in Russian/CIS time zones and operates as a detached background process. It targets secrets from various sources, including **1Password** vaults, **Anthropic Claude Code** configurations, npm, GitHub, and **Amazon Web Services (AWS)**. ### Sigstore Integration and Supply Chain Poisoning "One capability that stands out: the payload contains full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation," **StepSecurity** noted. This allows attackers to publish malicious npm packages with valid, cryptographically signed provenance attestations, making them appear legitimate.  ### Remediation Steps The **Nx** team has acknowledged that a "few users were compromised" and recommends updating to version 18.100.0 or later. They have also provided the following indicators of compromise (IOCs): * Nx Console version 18.95.0 installed between May 18, 2026, at 2:36 p.m. CEST and 2:47 p.m. CEST. * Presence of files like `~/.local/share/kitty/cat.py`, `~/Library/LaunchAgents/com.user.kitty-monitor.plist`, `/var/tmp/.gh_update_state`, or `/tmp/kitty-*`. * Presence of a python process running `cat.py` or a process with `__DAEMONIZED=1` in its environment. Affected users should terminate these processes, delete the identified artifacts, and rotate all credentials accessible from the compromised machine, including tokens, secrets, and SSH keys. ### Recurring Attacks on the Nx Ecosystem This incident marks the second time the **Nx** ecosystem has been targeted in a year. In August 2025, several npm packages were infected by a credential stealer as part of the **s1ngularity** supply chain attack campaign. Unlike the previous attack, this latest incident targets the **VS Code** extension directly. ### Recent Surge in Malicious npm Packages This discovery aligns with a broader trend of malicious packages found in open-source repositories, including: * `iceberg-javascript`, `supabase-javascript`, `auth-javascript`, `microsoft-applicationinsights-common`, and `ms-graph-types`: Containing a hidden ELF binary that backdoors **Claude Code** sessions. * `noon-contracts`: Impersonating a Noon Protocol smart contract SDK to exfiltrate sensitive credentials and keys. * `martinez-polygon-clipping-tony`: A trojanized fork that downloads a Windows remote access trojan (RAT) controlled via Telegram. * `common-tg-service`: Designed to hijack Telegram accounts. * `exiouss`: Bundling a ChatGPT and OpenAI session cookie stealer. * `k8s-pod-checker`, `dev-env-setup`, and `node-perf-utils`: Part of the kube-health-tools cluster installing an LLM proxy service. * A coordinated credential harvesting campaign targeting tech giants like **Apple**, **Google**, and **Alibaba** using dependency confusion. * Seven npm packages under the `@hd-team` organization acting as a stager for configurations used by a Chinese sports gambling platform.