The popular Nx Console VS Code extension, installed by over 2.2 million developers, was hijacked on May 18 after an attacker published a malicious version containing a sophisticated multi-stage credential stealer. The compromised version 18.95.0 was live on the VS Code Marketplace for approximately 11 minutes before the Nx team detected and removed it, though the team acknowledged that a small number of users were affected during that window.

The attack was discovered by StepSecurity researcher Ashish Kurmi, who traced the compromise to a stolen GitHub personal access token belonging to an Nx contributor. The token had been scraped during a separate earlier supply chain incident. Using the stolen credentials, the attacker pushed an orphan commit to the official nrwl/nx GitHub repository at 03:18 UTC on May 18, then published the poisoned extension to the marketplace nine hours later.

Technical analysis revealed that the attacker injected 2,777 bytes of malicious code into the minified main.js file. Upon activation, the extension silently fetched a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official repository. The payload used four layers of obfuscation including a shuffled string table with 1,729 entries, PBKDF2 encryption with 200,000 SHA-512 iterations, and 14 encrypted binary blobs containing RSA keys and a Python backdoor.

The credential stealer ran six parallel collector classes targeting GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault secrets, Kubernetes configurations, 1Password vault items, SSH keys, and notably Claude Code AI assistant configuration files. Stolen data was exfiltrated through three independent channels using HTTPS, the GitHub API, and DNS tunneling with hybrid AES-256-GCM and RSA-OAEP encryption. On macOS systems, a persistent Python backdoor was installed with a LaunchAgent for hourly execution.

StepSecurity described the attack as one of the first known supply chain compromises designed to steal credentials from AI coding assistants. The payload also included full Sigstore integration, enabling the attacker to forge cryptographically signed npm packages with valid provenance attestations, making poisoned downstream packages appear as legitimate verified builds.

Affected developers should immediately update to Nx Console version 18.100.0 or later, kill any orphaned processes related to the malware, remove persistence artifacts from disk, and rotate all credentials reachable from compromised machines including GitHub tokens, SSH keys, cloud provider credentials, and AI assistant configurations. Organizations in high-sensitivity environments should consider reimaging affected workstations entirely.