Targeting 2 Million Developers: Malicious Nx Console Extension Hijacks VS Code Marketplace
Do Son 
A brief but dangerous supply chain attack briefly hijacked the official Visual Studio Code marketplace, targeting over two million developers with an automated, multi-stage credential harvester and stealthy macOS backdoor.
On May 18, 2026, the security perimeter around the popular Nx developer ecosystem was breached. For approximately 11 minutes, a compromised version of the heavily relied-upon Nx Console VS Code extension—specifically nrwl.angular-console v18.95.0—was hosted live on the official Microsoft Visual Studio Code Marketplace.
The incident marks an aggressive escalation in supply chain methodology. By hiding the core malware infrastructure inside a “dangling orphan commit” within a legitimate repository, the attackers bypassed traditional static analysis tools.
“Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository,” according to an analysis of the incident.
The breach traces its roots to a classic corporate exposure: an upstream access leak. The Nx engineering team confirmed that the initial entry vector occurred after a contributor’s personal GitHub access token was scraped during an unrelated, historical security incident.
The threat actors weaponized this stolen credential to orchestrate a highly creative execution path. At 03:18 UTC, they pushed commit 558b09d7 directly into the official nrwl/nx codebase. The code structure was unusual—it was generated as an orphan commit possessing zero parent connections, meaning it was completely invisible on any standard public-facing branch or commit history page.
To prevent developers from easily identifying the rogue code, the attackers relied on an aggressive psychological trick. They appended a social engineering threat straight into the commit description: “Don’t delete this commit before 24 hours or wiper activates.” While the wiper warning was entirely fraudulent, it succeeded in buying the adversaries crucial hours to prepare their secondary launchpad.
At 12:36 UTC, the attackers used a secondary layer of stolen publishing credentials (VSCE_PAT) to upload the subverted extension directly to the public marketplace.
Once a developer’s local editor auto-updated to version 18.95.0 and processed a workspace directory, the extension’s initialization code fired automatically. It immediately initialized a background shell task named “install-mcp-extension”—disguised to mimic standard, native platform functionality—to fetch the 498 KB obfuscated payload using npx.
The backend payload executed as an invisible background daemon, launching six specialized data collectors designed to sweep the developer’s system for keys and tokens. The malware specifically targeted:
- Cloud Infrastructure & Infrastructure-as-Code: Vault secrets, local Kubernetes configuration tables, and live AWS tokens extracted via local Instance Metadata Services (IMDS).
- Package Repositories: Snatching local .npmrc profiles to validate maintainer packages and sweep active keys.
- AI Coding Assistants: The payload purposefully scraped settings and configuration files mapping to Claude Code (~/.claude/settings.json). This highlights one of the first observed supply chain attacks engineered specifically to hijack corporate AI coding engine configurations.
What makes this campaign incredibly alarming for broader industry ecosystems is how the attacker planned to use the stolen data downstream. The script was discovered to hold fully integrated libraries matching the Sigstore security network.
“Combined with stolen npm OIDC tokens, this means the attacker could publish downstream npm packages with valid, cryptographically signed provenance attestations, making the malicious packages appear as legitimate, verified builds,” the analysis warned.
By forging software origin validation tokens using genuine signing certificates, the hackers could inject backdoor code into hundreds of adjacent enterprise software modules, completely blinding automated validation utilities.
As a final measure to retain access, the script dropped a persistent Python-based remote-access backdoor into the host’s filesystem (~/.local/share/kitty/cat.py) and registered an automated macOS LaunchAgent to guarantee hourly execution.
The backdoor’s communication layer is exceptionally stealthy. It treats the public GitHub Search API as an anonymous command dead-drop. Every hour, the script queries GitHub for a specific keyword string (firedalazer). It then parses the commit logs for a Base64 URL signature, validates it using an embedded 4096-bit RSA public key, and executes the hidden commands natively. Because traffic heading to api.github.com looks entirely normal on corporate developer workstations, the C2 loop is designed to easily slip past standard network firewalls.
The Nx development team acted with immense speed, catching the rogue marketplace upload within 11 minutes and successfully pulling the file at 12:47 UTC. However, because modern coding environments leverage aggressive automated updates, security managers must actively audit their developer environments.
Organizations are urged to run an immediate command-line check across developer assets to identify if the compromised version slipped past their perimeter:
If your systems return version 18.95.0, you must immediately treat the workstation as entirely compromised. Security teams must immediately invalidate and rotate all GitHub keys, AWS corporate identities, and 1Password master secrets accessible from that endpoint, while manually scrubbing the kitty backdoor paths and LaunchAgents from the local profile. Update directly to the clean, remediated baseline version v18.100.0 to re-secure the application pipeline.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
