Developer Alert: Poisoned Nx Console VS Code Extension Steals AWS, npm, and GitHub Tokens

The highly popular Nx Console extension for Visual Studio Code has been compromised via a weaponized supply-chain injection. The compromise specifically corrupted version 18.95.0, which was briefly propagated through the official Microsoft Visual Studio Marketplace. Given that the extension boasts an aggregate user base exceeding 2.2 million installations, the anomaly instantaneously triggered high-priority alarms across developer networks and threat intelligence cells.

The perimeter failure was isolated exclusively within the rwl.angular-console marketplace identifier; per telemetry published by the Nx engineering cohort, the parallel distribution hosted on the Open VSX Registry remained entirely uninfected. The malicious iteration executed its payload with remarkable stealth. The moment a software engineer initialized any workspace directory within Visual Studio Code, the extension silently pulled and executed an obfuscated 498 KB binary. This component had been cleverly harbored within an unsigned, orphaned commit lingering invisibly inside the official nrwl/nx GitHub repository.

Forensic specialists at StepSecurity have categorized the malicious asset as a highly sophisticated, multi-stage credential harvester engineered to facilitate subsequent downstream supply-chain incursions. The program systematically scraped developer secrets, exfiltrating the payloads to adversarial infrastructure utilizing an array of egress channels including HTTPS, the structural GitHub API, and advanced DNS tunneling. On endpoints operating macOS, the utility went a step further, establishing a persistent Python-based backdoor configured to continuously poll the public GitHub search interface to harvest inbound Command and Control (C2) instructions.

The Nx core development collective disclosed that the security breach stemmed from the upstream compromise of an individual engineer’s local workstation, wherein critical GitHub credentials had been harvested during a prior, unassociated incident. The threat actors weaponized this illicit administrative access to inject the concealed, unsigned commit directly into the nrwl/nx source tree. Consequently, the tainted software build was automatically compiled and pushed into the Visual Studio Code marketplace distribution pipeline.

Upon initial execution, the primary stager automatically installed the Bun JavaScript runtime environment to bootstrap and execute a heavily obfuscated index.js file. The payload immediately initialized environment fingerprinting routines, explicitly bypassing systems configured within CIS (Commonwealth of Independent States) time zones to evade localized regulatory scrutiny. Once geofencing parameters were satisfied, the malicious daemon migrated to background execution, systematically sweeping local directory trees for secrets residing within 1Password vaults, Anthropic Claude Code configurations, alongside sensitive access tokens for npm, GitHub, and Amazon Web Services (AWS).

A particularly alarming dimension of the exploit lay in its integrated support for Sigstore signing architectures. StepSecurity validated that the adversaries could potentially leverage intercepted npm OIDC tokens to publish weaponized, upstream packages that possessed flawless, cryptographically valid proofs of origin. Such corrupted dependencies would effortlessly pass automated verification checks, convincingly masquerading as legitimate, verified enterprise builds.

The Nx team has confirmed that a definitive subset of users fell victim to this localized injection campaign. Developers are urged to immediately mandate an upstream upgrade of the Nx Console extension to version 18.100.0 or subsequent releases. Absolute exposure risk is strictly constrained to individuals who retained or installed version 18.95.0 on May 18, 2026, within a highly precise temporal window spanning 14:36 to 14:47 CEST.

Incident response teams advise security practitioners to thoroughly audit host file systems for the presence of the following forensic indicators:

• ~/.local/share/kitty/cat.py
• ~/Library/LaunchAgents/com.user.kitty-monitor.plist
• /var/tmp/.gh_update_state
• /tmp/kitty-*

Concurrently, defensive teams should execute active process triaging; any running Python processes executing the cat.py script or any active process maintaining the explicit environment variable configuration __DAEMONIZED=1 must be treated as definitive evidence of system compromise. Upon isolating these indicators, administrators must forcefully terminate the malicious PIDs, purge the associated filesystem artifacts, and immediately revoke and rotate the entirety of the cryptographic credentials exposed to the endpoint—encompassing cloud tokens, API secrets, and SSH keys.