Compromised Nx Console v18.95.0 VS Code Extension Stole Secrets

A compromised version of the Nx Console extension, published as rwl.angular-console v18.95.0 on the Visual Studio Code Marketplace, fetched and executed an obfuscated payload that installed a multi-stage credential stealer and a macOS backdoor. The VS Code build of the extension has more than 2.2 million installs. The Open VSX build was not affected. The exposure window ran on May 18, 2026 between 14:36 and 14:47 CEST, according to the extension’s maintainers.

Security researchers at StepSecurity reported that the compromised extension contacted an orphaned commit in the official nrwl/nx GitHub repository and immediately ran a 498 KB obfuscated payload. StepSecurity researcher Ashish Kurmi reported: “Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository.” The maintainers traced the change to leaked GitHub credentials for one of the project developers; those credentials were temporarily revoked after the incident was discovered.

The injected code installs the Bun JavaScript runtime to execute an obfuscated index.js payload. The payload checks system environment and avoids infecting machines likely located in Russian or CIS time zones. It then detaches and runs in the background to collect developer secrets. Targets for collection include 1Password vaults, Anthropic Claude Code configurations, and credentials and tokens for npm, GitHub and AWS. Stolen data is exfiltrated over HTTPS, through the GitHub API and via DNS tunneling. On macOS, the malware installs a Python backdoor that uses the GitHub Search API as a dead drop resolver for receiving further commands.

StepSecurity highlighted that the payload includes full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, that capability could allow an attacker to publish downstream npm packages that include valid cryptographic provenance claims.

The extension maintainers published indicators of compromise and remediation steps. Artifacts to check include files such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state and temporary files matching /tmp/kitty-*. Observed running processes include a Python process executing cat.py and any process with __DAEMONIZED=1 in its environment. Users who installed v18.95.0 during the exposure window are advised to terminate those processes, remove on-disk artifacts and rotate all credentials, tokens and SSH keys reachable from the affected machine. The maintainers urged users to update to version 18.100.0 or later.

Researchers also reported multiple unrelated malicious npm packages and a wider credential-harvesting campaign affecting open-source repositories. The Nx Console incident follows a supply chain compromise in August 2025 that infected several npm packages tied to the Nx toolchain.