Extension Compromise Details
Cybersecurity researchers have identified a compromised version of the Nx Console extension published to the Microsoft Visual Studio Code Marketplace. The affected version, 18.95.0, is a widely used user interface plugin that supports code editors including VS Code, Cursor, and JetBrains tools. The extension has amassed over 2.2 million installations, though the Open VSX version remains unaffected by this incident.
How the Attack Worked
When a developer opened any workspace in VS Code, the malicious extension immediately fetched an obfuscated payload from a hidden commit within the official nrwl/nx GitHub repository. This payload operated as a multi stage credential stealer and supply chain poisoning tool. It harvested sensitive data including secrets from 1Password vaults, Anthropic Claude Code configurations, npm tokens, GitHub credentials, and Amazon Web Services keys. The malware exfiltrated stolen data through HTTPS connections, the GitHub API, and DNS tunneling. On macOS systems, it installed a Python backdoor that abused the GitHub Search API as a command and control channel.
The extension maintainers traced the root cause to a developer whose machine had been previously compromised, leading to leaked GitHub credentials. The attackers used these credentials to push an unsigned commit containing the malicious code to the official repository.
Source: The Hacker News
