"Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository," StepSecurity researcher Ashish Kurmi said.
rwl.angular-console 18.95.0 compromise and scope
The Visual Studio Code extension rwl.angular-console (version 18.95.0) was published to the VS Code Marketplace in a compromised state. The extension — a UI and plugin used by editors including VS Code, Cursor, and JetBrains — has more than 2.2 million installations; the Open VSX variant was not affected. The Nx maintainers traced the root cause to one of its developers, whose machine was compromised in a recent security incident that leaked their GitHub credentials. Those credentials were abused to push an orphaned, unsigned commit to the nrwl/nx repository that introduced the malware.
The exposure window for installations of Nx Console 18.95.0 was narrow and specific: May 18, 2026, between 2:36 p.m. CEST and 2:47 p.m. CEST, according to the maintainers' advisory.
Payload behavior: multi-stage credential theft, backdoor, and provenance abuse
Security researchers describe the delivered payload as a "multi-stage credential stealer and supply chain poisoning tool." Once triggered by opening any workspace, the compromised extension installs the Bun JavaScript runtime to run an obfuscated index.js payload.
The payload performs staged credential harvesting and exfiltration via multiple channels — HTTPS, the GitHub API, and DNS tunneling — and installs a Python backdoor on macOS systems that uses the GitHub Search API as a dead drop resolver for further commands. It specifically looks for and retrieves secrets from 1Password vaults and Anthropic Claude Code configurations, and harvests tokens and secrets associated with npm, GitHub, and Amazon Web Services (AWS).
Researchers noted operational tradecraft intended to limit detection: the malware checks to avoid infecting machines likely located in Russian/CIS time zones and launches itself as a detached background process to run the harvesting workflow. StepSecurity also highlighted a striking capability: "One capability that stands out: the payload contains full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation," the firm said. Combined with stolen npm OIDC tokens, that integration could let an attacker publish downstream npm packages that carry valid, cryptographically signed provenance attestations — making malicious packages appear as verified builds.
Indicators of compromise and immediate remediation steps
The Nx maintainers published concrete indicators of compromise and remediation guidance. They acknowledged that a "few users were compromised" and urged updates to version 18.100.0 or later. Key indicators and steps include:
- Exposure window: Nx Console version 18.95.0 installed between May 18, 2026, at 2:36 p.m. CEST and 2:47 p.m. CEST.
- Files that may indicate compromise: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*.
- Processes that may be present: a python process running cat.py and any process with __DAEMONIZED=1 in its environment.
- Recommended actions: terminate the identified processes, delete artifacts on disk, and rotate all credentials reachable from the affected machine — including tokens, secrets, and SSH keys.
Related malicious npm packages discovered during the same period
Researchers also cataloged a slate of malicious npm packages discovered around the same time, each with distinct malicious behaviors:
- iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, and ms-graph-types: packages containing a hidden ELF binary that backdoors Claude Code sessions to steal developer credentials.
- noon-contracts: an impersonator of a Noon Protocol smart contract SDK that exfiltrates SSH keys, crypto wallet private keys, AWS credentials, Kubernetes secrets, .env files, shell history, Docker/Git/npm tokens, and browser wallet storage paths.
- martinez-polygon-clipping-tony: a trojanized fork using a postinstall hook to download a 17MB PyInstaller-packed Windows remote access trojan that uses Telegram for command-and-control and supports remote shell, screenshots, file transfer, and arbitrary Python execution.
- common-tg-service: a package that includes functionality to take over a victim's Telegram account while posing as "Common Telegram service for NestJS applications."
- exiouss: bundles a ChatGPT and OpenAI session cookie stealer targeting Chrome, Edge, and Brave browsers.
- k8s-pod-checker, dev-env-setup, node-perf-utils: part of a kube-health-tools cluster that installs an LLM proxy service to route LLM traffic through compromised servers.
- A coordinated credential-harvesting campaign using 38 Indonesian-language npm packages that leverage dependency confusion to trick CI/CD pipelines into resolving malicious public packages ahead of legitimate private ones tied to Apple, Google, and Alibaba.
- Seven packages under the @hd-team organization acting as a stager for configurations used by Douqiu, a Chinese sports gambling and pirated streaming platform, to select backend servers to connect to.
What this means for VS Code developers, Nx maintainers, and enterprise security teams
- VS Code developers: update Nx Console to 18.100.0 or later, inspect systems for the listed file and process indicators, and rotate all tokens, secrets, and SSH keys accessible from affected machines.
- Nx maintainers and other open-source project teams: prioritize hardening developer credential protection and review commit-signing and repository permissions, recognizing that an orphaned, unsigned commit was used to introduce the payload.
- Enterprise security and CI teams: monitor for dependency confusion and provenance-based deception, and adjust CI/CD pipeline safeguards given the payload's potential to issue Fulcio certificates and generate SLSA provenance tied to stolen OIDC tokens.
The incident is a compact case study in modern supply chain risk: a single compromised developer machine, a short exposure window, and a payload built to harvest credentials, evade regional detection, and weaponize provenance tooling to lend authenticity to future attacks. Users should update, clean affected hosts, and rotate secrets; maintainers and CI operators now face the specific technical challenge flagged by researchers — how to detect and block provenance-backed forgery when stolen tokens can produce apparently legitimate attestations.




