Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability
A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository.
The malicious version (18.95.0) was live for approximately 11 minutes on May 18 between 2:36 p.m. and 2:47 p.m. CEST, but the damage potential within that window was significant. Within seconds of a developer opening any workspace, the extension silently fetched and executed a 498 KB obfuscated payload from an orphan commit hidden inside the official Nx repository.
The root cause was a developer whose machine was compromised in a prior security incident that leaked their GitHub credentials. The attacker used that access to push an orphaned, unsigned commit containing the stealer malware. When triggered, the payload installed the Bun JavaScript runtime and executed an obfuscated index.js file that launched as a detached background process to begin credential harvesting.
The stealer targeted a broad range of developer secrets: 1Password vault contents, Anthropic Claude Code configurations, npm tokens, GitHub credentials, and AWS secrets. Exfiltration used three parallel channels — HTTPS, the GitHub API, and DNS tunneling — making network-level detection significantly harder. On macOS systems, the malware also installed a Python backdoor that abused the GitHub Search API as a dead drop resolver for receiving further commands.
The malware included checks to avoid infecting machines in Russian and CIS time zones, suggesting either the attacker's operational security preferences or a deliberate effort to avoid drawing attention from certain security research communities.
The most concerning capability is the payload's full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, this means the attacker could publish downstream npm packages with valid, cryptographically signed provenance attestations — making poisoned packages appear as legitimate, verified builds. This effectively weaponizes the supply chain trust infrastructure that was designed to prevent exactly this kind of attack.
The Nx team confirmed a "few users were compromised" and urged all users to update to version 18.100.0 or later. This is the second time the Nx ecosystem has been targeted within a year — in August 2025, several npm packages were infected with a credential stealer in a campaign named s1ngularity.
The disclosure coincides with a broader wave of malicious npm packages discovered this week, including packages targeting Claude Code sessions with hidden ELF backdoors, a trojanized polygon-clipping fork delivering a Windows RAT via Telegram C2, packages stealing Telegram account sessions, and a coordinated 38-package dependency confusion campaign by an Indonesian-speaking threat actor targeting CI/CD pipelines at Apple, Google, and Alibaba.
Defensive Guidance:
Check whether Nx Console version 18.95.0 was installed during the 11-minute exposure window on May 18. Hunt for the following artifacts: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-* files. Look for Python processes running cat.py or any process with __DAEMONIZED=1 in its environment. If any indicators are found, terminate the processes, delete the artifacts, and rotate all credentials reachable from that machine — npm tokens, GitHub tokens, AWS keys, SSH keys, 1Password vault contents, and any secrets stored in .env files or Claude Code configurations. The Sigstore poisoning capability means downstream npm packages published from compromised environments should be audited even if they carry valid provenance attestations.
