Nx Console VS Code Extension Hijacked for 11 Minutes

A compromised version of the Nx Console VS Code extension (nrwl.angular-console v18.95.0) was published to the Visual Studio Code Marketplace on May 18, 2026, exposing over 2.2 million developers to a sophisticated credential stealer. The malicious version remained live for approximately 11 minutes before the Nx team pulled it—but that window was enough for attackers to compromise an unknown number of developer environments.

This marks the second time the Nx ecosystem has been targeted within a year, following August 2025's s1ngularity campaign. The attack's sophistication suggests well-resourced operators who understand modern software supply chain security—and know how to abuse it.

Attack Vector

The compromise originated from a stolen GitHub personal access token. According to StepSecurity's analysis, the token was scraped during a separate, earlier supply chain incident and belonged to an account with push access to the nrwl/nx repository.

With repository access, attackers pushed an obfuscated orphan commit containing their payload to the official nrwl/nx GitHub repository—hidden among legitimate code. They then used the same access (directly or indirectly) to obtain VS Code Marketplace publishing credentials (VSCE_PAT) and publish the malicious extension version.

Payload Capabilities

Within seconds of a developer opening any workspace with the compromised extension installed, it fetched and executed a 498 KB obfuscated payload from the orphan commit. The payload functions as a multi-stage credential stealer and supply chain poisoning tool with three-channel exfiltration:

1. HTTPS — direct upload to attacker infrastructure
2. GitHub API — using stolen tokens to exfiltrate data through GitHub's legitimate API
3. DNS tunneling — encoding data in DNS queries to bypass network monitoring

The stealer targets:

• GitHub CLI configs and tokens
• npm registry credentials
• AWS credentials
• HashiCorp Vault tokens
• Kubernetes service account tokens
• 1Password vault data
• Claude Code and Kiro IDE configurations — making this possibly the first supply chain payload specifically designed to harvest AI coding assistant credentials

Sigstore Abuse: Signing Malicious Packages

The most alarming capability involves Sigstore integration. The payload includes full Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, attackers could publish downstream npm packages with valid, cryptographically signed provenance attestations.

This means malicious packages would appear as legitimate, verified builds in registries—defeating the very supply chain security mechanisms designed to prevent such attacks. Organizations checking Sigstore signatures as part of their security posture would see valid attestations pointing to malicious code.

This attack pattern mirrors what we saw in the TanStack/Mini Shai-Hulud campaign earlier this month, where attackers similarly abused OIDC tokens to publish signed packages. The convergence of these techniques suggests supply chain attackers have standardized on this approach.

Persistence Mechanism

The malware installs a Python-based backdoor disguised as a legitimate process:

macOS:

• Backdoor: ~/Library/Application Support/kitty/cat.py
• Persistence: ~/Library/LaunchAgents/com.user.kitty-monitor.plist

Linux:

• Backdoor: ~/.local/share/kitty/cat.py
• Persistence: ~/.config/systemd/user/kitty-monitor.service

The backdoor uses GitHub's Search API for C2 communication—legitimate traffic that blends with normal developer activity.

Detection and Response

Organizations should check for these indicators:

Files:

• ~/.local/share/kitty/cat.py (Linux)
• ~/Library/Application Support/kitty/cat.py (macOS)
• /var/tmp/.gh_update_state
• /tmp/kitty-*

Processes:

• Python running cat.py
• Any process with __DAEMONIZED=1 environment variable

Immediate Actions:

1. Update Nx Console to version 18.100.0 or later
2. Terminate identified malicious processes
3. Delete backdoor artifacts from affected systems
4. Rotate all credentials including GitHub tokens, npm tokens, AWS keys, Vault tokens, and Kubernetes service accounts
5. Audit recent npm publishes from affected developer accounts

Why This Matters

The 11-minute exposure window might seem brief, but VS Code extensions auto-update by default. Any developer who opened VS Code during that window could have been compromised. The payload's design—targeting AI assistant configs, implementing Sigstore abuse, using GitHub API for C2—shows attackers deeply understand developer workflows and security tooling.

The node-ipc supply chain attack we covered last week targeted similar developer credentials. Combined with this Nx Console incident and the ongoing Mini Shai-Hulud campaigns, developer environments are clearly under sustained attack.

Security teams should treat development machines as high-value targets. Credential compartmentalization, token scoping with minimal permissions, and rapid rotation on any suspected compromise aren't optional anymore. The attackers chaining these supply chain incidents understand that developer credentials unlock access to production systems, cloud infrastructure, and further supply chain compromise opportunities.