Nx Console VS Code extension (nrwl.angular-console), with over 2.2 million installs, was compromised in version 18.95.0. The malicious version was published outside the normal CI/CD pipeline using likely stolen credentials, injecting code that runs an obfuscated ~498 KB JavaScript payload on every workspace activation. The payload is a sophisticated multi-stage credential stealer targeting GitHub, NPM, AWS, Kubernetes, SSH keys, and more, with three exfiltration channels including DNS tunneling. It also includes persistence mechanisms, CI/CD targeting, and Sigstore attestation forgery capabilities. This is the second supply chain attack against the Nx ecosystem in under a year. Affected users should update to 18.100.0 immediately, check for persistence artifacts, and rotate all credentials.
Table of contents
SummaryWhat HappenedPayload CapabilitiesWho Is AffectedWhat You Should DoIndicators of CompromiseReferencesSort: