Nx Console 18.95.0 Compromise: VS Code Extension Credential Stealer

Overview of the Nx Console Supply Chain Incident

Security researchers have identified a sophisticated Supply Chain Attack targeting the developer community through the Microsoft Visual Studio Code (VS Code) Marketplace. The compromise involves version 18.95.0 of the Nx Console extension, identified by the identifier rwl.angular-console. This extension is a widely adopted tool for developers working within the Nx ecosystem, providing a user interface for workspace management across editors like VS Code, Cursor, and JetBrains.

According to The Hacker News, the malicious version was published directly to the marketplace, potentially impacting a significant portion of the extension’s 2.2 million users. This incident highlights a growing TTP where threat actors target the tools developers trust most to gain a foothold in high-value corporate environments.

Technical Analysis of the Nx Console 18.95.0 Credential Stealer

The malicious payload embedded in version 18.95.0 is designed to function as a credential stealer. Upon installation or update, the extension executes obfuscated scripts that scan the local environment for sensitive information. This includes environment variables, cloud provider configuration files (such as AWS and Azure credentials), and SSH keys. The harvested data is then exfiltrated to a remote C2 server controlled by the attackers.

Security professionals investigating their environments should focus on how to detect Nx Console 18.95.0 exploit patterns, which often involve unusual outbound network traffic from the VS Code process to unrecognised IP addresses or domains. Because developers frequently have high-level access to production infrastructure, a compromise at this level can lead to significant Lateral Movement within a corporate network.

Data Exfiltration and Persistence

The malware focuses on long-term data collection rather than immediate disruption. By targeting the extension marketplace, the attackers ensure that the malicious code is automatically distributed to workstations via the IDE’s built-in update mechanism. This bypasses many traditional perimeter security controls, as the traffic appears to originate from a trusted application. Standard EDR solutions may not immediately flag the extension’s activity if the scripts are executed within the context of the legitimate VS Code host process.

Nx Console 18.95.0 Credential Stealer Mitigation and Detection

To address this threat, organizations must immediately audit their developer workstations. The most urgent action is the removal of the compromised extension and a comprehensive cleanup of any cached extension data. Security teams should query their SIEM or SOC logs for any IoC related to version 18.95.0 telemetry.

Beyond simple removal, the following steps are recommended to ensure VS Code extension supply chain security:

• Verify Versioning: Ensure all developers have rolled back to a verified stable version (e.g., 18.94.x) or updated to a subsequent patched version if available.
• Secret Rotation: Because the extension targeted environment variables and configuration files, all secrets, API keys, and cloud credentials present on the affected machine at the time of compromise must be considered compromised and rotated immediately.
• Environment Auditing: Review cloud access logs for any anomalous activity originating from developer IAM roles or service accounts that may have been accessed via stolen tokens.

This incident underscores the necessity of a Zero Trust approach to internal developer tools. Relying solely on marketplace popularity or historical trust is insufficient. Organizations should consider implementing extension allowlists and monitoring for unauthorized VS Code extension installations as part of their broader MITRE ATT&CK defense framework.