The Nx Console extension for Visual Studio Code, with over 2.2 million installations, was compromised in May 2026, exposing millions of developers to potential credential theft. Attackers released a malicious version of the extension that infiltrated the official VS Code Marketplace, posing serious security risks to developers.
Details of the Breach
On May 18, 2026, attackers published version 18.95.0 of the Nx Console extension using stolen credentials. This version contained a hidden payload that activated upon opening any workspace. The payload was cleverly concealed within an orphan commit on the official nrwl/nx GitHub repository.
Fortunately, the compromised version was live for only about 11 minutes before being detected and removed by the Nx team. This swift action minimized the impact, but the breach highlighted significant vulnerabilities in the supply chain.
Investigative Findings
According to a report by StepSecurity, the attack was part of a larger, multi-stage supply chain attack, marking the second incident affecting the Nx ecosystem within a year. The payload was designed to steal a wide array of credentials, targeting platforms like GitHub, npm, AWS, and more.
The sophisticated attack also included mechanisms to exfiltrate data through multiple channels, including HTTPS and DNS tunneling. This made it challenging to detect and block the data theft effectively. Additionally, it targeted AI coding assistants, a first for supply chain attacks.
Security Measures and Recommendations
Developers using the compromised version between 12:36 and 12:47 UTC on May 18 are advised to consider their credentials compromised. Immediate actions include updating to version 18.100.0 or later and removing any backdoor artifacts.
Particularly on macOS, users should remove the persistent backdoor located at ~/.local/share/kitty/cat.py and related LaunchAgent entries. It is crucial to rotate all credentials, including GitHub tokens, npm tokens, and any stored secrets, to prevent unauthorized access.
Finally, understanding the indicators of compromise, such as specific file hashes and Git commit identifiers, can aid in identifying affected systems. Developers should remain vigilant and follow best practices for securing their development environments.
