A compromised build of the Nx Console extension reached the Visual Studio Code Marketplace on May 18, 2026, briefly turning one of the most widely installed developer tools into a credential-harvesting dropper. Version 18.95.0, published under the nrwl.angular-console publisher ID, was live for roughly 11 minutes — 14:36 to 14:47 CEST — before the Nx team pulled it. Nx Console has more than 2.2 million installs on the VS Code Marketplace and is also used in Cursor and JetBrains editors. The Open VSX build was not affected.

The compromise was flagged by StepSecurity and confirmed in a GitHub advisory (GHSA-c9j4-9m59-847w). No CVE has been assigned — this is a package-integrity incident, not a software flaw.

How it happened

The root cause was an account compromise. One of the Nx Console developers had their machine breached in an earlier, undisclosed incident that leaked their GitHub credentials. Those credentials were used to push an orphaned, unsigned commit into the official nrwl/nx repository — a commit that lives in the object store but is not reachable from any branch, so it never appears in normal commit history or pull-request review.

The malicious 18.95.0 extension was wired to that commit. Within seconds of a developer opening any workspace in VS Code, the extension silently fetched a 498 KB obfuscated payload from the dangling orphan commit, installed the Bun JavaScript runtime, and executed an obfuscated index.js as a detached background process. The loader skips machines in Russian/CIS time zones.

What the payload does

StepSecurity describes the payload as a “multi-stage credential stealer and supply chain poisoning tool.” It harvests secrets from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, 1Password vaults, and Anthropic Claude Code configurations, then exfiltrates over three independent channels: HTTPS, the GitHub API, and DNS tunneling. On macOS it drops a persistent Python backdoor that abuses the GitHub Search API as a dead-drop resolver, pulling further commands signed with a 4096-bit RSA key.

The most dangerous capability is the supply-chain half. The payload ships full Sigstore integration — Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, an operator could publish downstream npm packages carrying valid, cryptographically signed provenance attestations. Malicious releases would pass as legitimate, verified builds — exactly the signal defenders have been told to trust.

Impact

The Nx team confirmed that “a few users were compromised.” The narrow 11-minute window limits the blast radius, but anyone who installed or auto-updated to 18.95.0 in that window should assume full credential exposure on that workstation — and treat any package or commit pushed from it afterward as suspect.

This is the second time in under a year the Nx ecosystem has been hit. The August 2025 s1ngularity campaign backdoored several npm packages with a credential stealer; this round moved upstream, into the IDE extension itself. Developer tooling is now a first-class supply chain target, and an editor extension that runs code on every workspace open is a near-ideal delivery vehicle.

What to do now

Update Nx Console to 18.100.0 or later immediately.

If you ran 18.95.0 between 14:36 and 14:47 CEST on May 18, check for these indicators of compromise:

  • Files: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*
  • Processes: a python process running cat.py, or any process with __DAEMONIZED=1 in its environment

If you find them, terminate the processes, delete the on-disk artifacts, and rotate every credential reachable from the machine — GitHub PATs, npm tokens, AWS keys, Vault and Kubernetes secrets, SSH keys, and anything in .env files. Treat npm packages you published after the infection as potentially poisoned and review their provenance independently. Where possible, prefer Open VSX or pinned extension versions, and disable extension auto-update on machines with access to release credentials.

Sources