Ethical Hacking News
A recent vulnerability in the Nx Console extension for Microsoft Visual Studio Code (VS Code) has exposed VS Code developers to credential theft via a malicious payload that silently fetches and executes a multi-stage stealer tool. The compromised version of the extension contains full Sigstore integration, enabling it to publish downstream packages with cryptographically signed provenance attestations. This attack serves as a reminder for developers and companies to stay vigilant against evolving threats.
The Nx Console extension in Microsoft Visual Studio Code has been vulnerable to a malicious payload that can be executed silently. A multi-stage credential stealer and supply chain poisoning tool has been discovered, which harvests developer secrets via HTTPS and DNS tunneling. The malware installs a Python backdoor on macOS systems, abuses the GitHub Search API, and uses Sigstore integration for cryptographically signed provenance attestations. A few users were compromised by this breach, but updating to version 18.100.0 or later can mitigate the issue.
In a recent exposé, security researchers have revealed a shocking vulnerability in the Nx Console extension for Microsoft Visual Studio Code (VS Code). The compromised version of the extension, identified as rwl.angular-console, has been shown to silently fetch and execute a malicious payload from a dangling orphan commit within its own GitHub repository. This attack vector exploits trust in the official npm package management system to compromise developers who use this popular user interface and plugin for code editors.
The incident involves a multi-stage credential stealer and supply chain poisoning tool that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling. Furthermore, it installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further commands. The compromised extension's malicious actions are triggered as soon as any workspace is opened in VS Code, which allows it to install itself with the Bun JavaScript runtime and execute an obfuscated "index.js" payload.
The malware also runs checks to avoid infecting machines located in the Russian/CIS time zones and launches itself as a detached background process to kick off the credential harvesting workflow. It can retrieve secrets from 1Password vaults, Anthropic Claude Code configurations, and associated npm, GitHub, and Amazon Web Services (AWS) credentials. Notably, it contains full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation, which enables it to publish downstream npm packages with cryptographically signed provenance attestations.
The Nx team has acknowledged that a few users were compromised by this breach and has urged users to update to version 18.100.0 or later to mitigate the issue. In addition, they have published indicators of compromise for affected users to help them identify potential threats.
This vulnerability highlights the importance of ongoing security vigilance in the software development industry. Trust in official package repositories like npm is essential to prevent such supply chain attacks. Additionally, ensuring that developers regularly update their code editors and plugins can also help prevent vulnerabilities from being exploited. The incident serves as a reminder for developers and companies alike to stay vigilant against evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Crafting-Compromise-The-Nx-Console-Vulnerability-that-Exposed-VS-Code-Developers-to-Credential-Theft-ehn.shtml
https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
Published: Tue May 19 03:37:12 2026 by llama3.2 3B Q4_K_M
