Active Exploitation of Compromised Nx Console VS Code Extension via GitHub Token Theft
May 26th, 2026
Critical
Our Cyber Threat Intelligence Unit is tracking an active software supply chain compromise affecting the Nx Console VS Code extension (nrwl.angular-console), a developer productivity tool with over 2.2 million installations. On May 18, 2026, a trojanized version of the extension (v18.95.0) was published to both the Visual Studio Marketplace and Open VSX registry after attackers leveraged a stolen GitHub contributor token obtained during the earlier TanStack npm supply chain compromise specifically through the malicious @tanstack/[email protected] package, one of 84 malicious versions published across 42 @tanstack/* packages during that incident. Using the compromised token, the attacker planted a malicious orphan commit in the official nrwl/nx repository and published the tampered extension, which remained available for approximately 11 minutes on the Visual Studio Marketplace (12:36–12:47 UTC) and 36 minutes on Open VSX (12:30–13:09 UTC). The malicious extension silently fetched and executed an obfuscated multi-stage payload designed to harvest developer tokens, cloud credentials, secrets manager contents, and CI/CD secrets, while also deploying a persistent Python backdoor using the GitHub Search API for covert command-and-control communications. Organizations with developers who had the extension active during either exposure window should treat affected systems as fully compromised. The Nx CLI (nx npm package), official @nx/* plugins, and Nx Cloud were not affected.
Technical Details
Threat Type: Software Supply Chain Attack — Trojanized VS Code Extension via Chained GitHub Token Compromise
Severity: Critical
CVE Reference: No CVE assigned for the Nx Console compromise. GHSA-c9j4-9m59-847w is the official advisory. The upstream TanStack campaign is tracked separately as GHSA-g7cv-rxg3-hmpx.
Affected Components: Nx Console VS Code extension (nrwl.angular-console) version 18.95.0 exactly. No earlier or later versions are affected. OpenVSX was also affected during a 36-minute window.
Threat Actor: TeamPCP (Mini Shai-Hulud campaign)
Exploit Status: Confirmed active exploitation; GitHub has disclosed internal repository exfiltration linked to this campaign
Attack Chain
Attack originated from the May 11, 2026 TanStack npm supply chain compromise, where the malicious @tanstack/[email protected] package, one of 84 malicious versions published across 42 @tanstack/* packages, exfiltrated an Nx contributor's GitHub CLI OAuth token during a routine pnpm install operation. A minimum-release-age safeguard was configured but silently ignored due to an incompatible pnpm version (10.14), allowing the 77-minute-old malicious package to resolve without restriction.
Attacker retained access to the stolen token for approximately seven days, conducting covert reconnaissance and workflow manipulation activity including bulk deletion of CodeQL Analysis workflow runs across Nx repositories before publishing the malicious extension.
Using the compromised contributor credentials, the attacker pushed an unsigned orphan commit (558b09d7) to the official nrwl/nx repository containing a minimal malicious package with an obfuscated credential-stealing payload. The commit message was designed as a social engineering tactic to delay cleanup.
Attacker published the trojanized nrwl.angular-console v18.95.0 extension to both the Visual Studio Marketplace and Open VSX using compromised VSCE_PAT publishing credentials. Both uploads passed automated security scanning without detection.
Malicious code injected into main.js silently executed npx -y github:nrwl/nx#558b09d7 during workspace activation, fetching and launching a 498 KB obfuscated JavaScript payload without visible user interaction. A VS Code globalState key was set after first execution to prevent re-triggering.
Payload implemented sandbox evasion (CPU count check, environment variable filtering) and self-daemonization before harvesting GitHub tokens, npm OIDC credentials, AWS access keys, HashiCorp Vault tokens, SSH keys, .env files, Docker configurations, GCP credentials, and Claude Code configuration files (~/.claude/settings.json). On Linux, the payload also attempted privilege escalation via passwordless sudo.
Harvested data was encrypted using AES-256-GCM with RSA-4096 key wrapping and exfiltrated through HTTPS-based C2 traffic, GitHub API abuse using victim tokens, and DNS tunneling.
Stolen npm OIDC tokens were abused to obtain legitimate Sigstore certificates through Fulcio/Rekor infrastructure, allowing malicious downstream npm packages to appear cryptographically trusted.
Persistence was established through a Python backdoor (~/.local/share/kitty/cat.py) using GitHub Search API commit queries (firedalazer <base64-url>.<base64-signature>) as a covert dead-drop command-and-control channel with RSA-4096 signed payload delivery, executing hourly via a macOS LaunchAgent or equivalent platform mechanism.
Impact
Any developer who had nrwl.angular-console installed with auto-update enabled and opened a workspace between 12:36–12:47 UTC (Visual Studio Marketplace) or 12:30–13:09 UTC (Open VSX) on May 18, 2026 should treat their workstation as fully compromised; the Open VSX exposure window remained active 22 minutes longer than the Visual Studio Marketplace version.
The payload targeted not only locally stored secrets, but also credentials accessible at runtime through password managers, cloud metadata services, and developer tooling including gh, aws, gcloud, and op sessions.
GitHub disclosed the exfiltration of approximately 3,800 internal repositories associated with the broader campaign following compromise of an employee workstation through a malicious VS Code extension.
GitHub Actions secrets at both repository and organization scope were targeted using any accessible developer token, creating downstream CI/CD and software supply chain risk.
Attacker activity persisted within Nx repositories for approximately seven days prior to discovery, indicating prolonged unauthorized access and audit log evasion activity.
The Sigstore attestation abuse capability allows malicious downstream npm packages to appear cryptographically trusted with valid provenance signatures, reducing the effectiveness of signature-based verification controls.
The payload specifically targeted AI developer tooling and configuration files, including Claude Code settings, expanding the compromise scope beyond traditional developer credentials.
A persistent Python backdoor provided ongoing command-and-control access through GitHub Search API dead-drop communications and survives credential rotation unless explicitly removed.
The Nx CLI (nx npm package), official @nx/* plugins, and Nx Cloud were not affected and do not require remediation.
Detection Method
Security teams should prioritize the following detection actions:
Compromised Extension Version: Audit all developer endpoints for nrwl.angular-console at exactly version 18.95.0 using code --list-extensions --show-versions | grep angular-console. Any instance of this version should be treated as compromised. Additionally, review VS Code globalState for the key nxConsole.mcpExtensionInstalledSha=558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2, which indicates successful payload execution.
Orphan Commit Execution: Monitor for npx or node processes executing with the argument github:nrwl/nx#558b09d7, or for processes containing the environment variable __DAEMONIZED=1, indicating a forked background payload process. Review npm caches for references to nrwl/nx#558b09d7. On Windows, query process command lines for kitty, cat.py, 558b09d7, or __DAEMONIZED.
Persistence Artifacts: Check for ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /tmp/kitty-*, and /var/tmp/.gh_update_state on macOS/Linux. On Windows, review %USERPROFILE%\.local\share\kitty\cat.py, %TEMP%\kitty-*, %TEMP%\.gh_update_state, %USERPROFILE%\.bun\bin\bun.exe, Scheduled Tasks, Registry Run keys, and Startup folder entries for unauthorized persistence mechanisms.
Python Backdoor C2 Activity: Monitor for outbound requests to api.github.com/search/commits?q=firedalazer, which indicates active Python backdoor dead-drop C2 communications.
Active Payload Processes: Investigate running python3 processes containing cat.py in command-line arguments or any process with the __DAEMONIZED=1 environment variable, indicating active malware execution.
Exfiltration Channel Monitoring: Monitor for unexpected outbound HTTPS traffic over port 443 from node or bun processes on developer workstations, and review anomalous DNS query volume that may indicate DNS tunneling activity.
Sigstore Activity: Monitor for unexpected outbound connections to fulcio.sigstore.dev or rekor.sigstore.dev from developer workstations rather than CI/CD infrastructure, which may indicate attestation forgery using stolen npm OIDC tokens.
GitHub Audit Log Review: Review repository and organization audit logs for unexpected commits, force-pushes, workflow modifications, workflow run deletions (particularly CodeQL Analysis runs), token creation events, and SSH key additions during the May 11–18, 2026 window.
Upstream TanStack Exposure: Organizations whose developers executed pnpm install in projects consuming @tanstack/* packages during the May 11, 2026 compromise window should review associated systems and GitHub tokens for related credential theft activity, even if Nx Console was not installed.
Sudoers Modification Audit: On Linux systems, review /etc/sudoers and /etc/sudoers.d/ for unauthorized NOPASSWD entries or other privilege escalation modifications introduced by the payload.
Indicators of Compromise
Indicator Type | Indicator | Description |
VS Code Extension | Compromised extension version (Visual Studio Marketplace and Open VSX) | |
Git Commit SHA | 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 | Malicious orphan commit planted in nrwl/nx repository |
Git Tree SHA | ba642fe2c7c65e42dd7f6444b83023dc6827e08c | Orphan commit tree object |
Git Blob SHA | acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf | index.js blob within orphan commit |
Git Blob SHA | 9d88f040c44b5f4d5f9db15ff89310776c168e99 | package.json blob within orphan commit |
VS Code GlobalState Key | nxConsole.mcpExtensionInstalledSha = 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 | Confirms successful payload execution on a given machine |
URL | api.github[.]com/search/commits?q=firedalazer | Python backdoor dead-drop C2 polling query |
Network | fulcio.sigstore[.]dev | Sigstore Fulcio endpoint; unexpected dev-machine connections indicate attestation forgery |
Network | rekor.sigstore[.]dev | Sigstore Rekor endpoint; unexpected dev-machine connections indicate attestation forgery |
Environment Variable | __DAEMONIZED=1 | Present on active forked payload daemon processes |
File Path | ~/.local/share/kitty/cat.py | Python C2 backdoor (macOS/Linux) |
File Path | ~/Library/LaunchAgents/com.user.kitty-monitor.plist | macOS LaunchAgent persistence (hourly execution) |
File Path | /tmp/kitty-* | Temporary payload staging directory (macOS/Linux) |
File Path | /var/tmp/.gh_update_state | Python backdoor anti-replay state file (macOS/Linux) |
File Path | %USERPROFILE%.local\share\kitty\cat.py | Python C2 backdoor (Windows) |
File Path | %TEMP%\kitty-* | Temporary payload staging directory (Windows) |
File Path | %TEMP%.gh_update_state | Python backdoor anti-replay state file (Windows) |
File Path | %USERPROFILE%.bun\bin\bun.exe | Bun runtime installed for persistence (Windows) |
SHA-256 | 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 | Malicious Nx Console VSIX (v18.95.0) |
SHA-256 | b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 | Malicious main.js within VSIX |
SHA-256 | e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 | Obfuscated index.js payload (orphan commit) |
SHA-256 | 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 | Dropper package.json (orphan commit) |
Recommendations
Update Nx Console Immediately: Uninstall nrwl.angular-console v18.95.0 and upgrade to v18.100.0 or later across VS Code, Cursor, and other VS Code-based editors. Version 18.95.0 is the only confirmed malicious version; v18.100.0 is the confirmed safe release per GHSA-c9j4-9m59-847w. Verify installed versions using code --list-extensions --show-versions | grep angular-console.
Remove and Remediate: Delete persistence artifacts including ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /tmp/kitty-*, and /var/tmp/.gh_update_state, and terminate associated daemon processes (pkill -f __DAEMONIZED, pkill -f "kitty-", pkill -f "cat.py"). On Windows, review Scheduled Tasks, Registry Run keys, Startup folder entries, and remove unauthorized persistence artifacts including %USERPROFILE%\.bun\bin\bun.exe. On Linux, audit /etc/sudoers and /etc/sudoers.d/ for unauthorized NOPASSWD entries.
Rotate Credentials: Rotate all credentials accessible from impacted systems, including GitHub tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes tokens, Vault secrets, SSH keys, 1Password vault data, and secrets stored in environment variables or .env files. Rotate GitHub Actions secrets across all affected repositories and organizations.
Harden Developer Authentication: Avoid persistent gh CLI OAuth token storage in ~/.config/gh/hosts.yml. Use secret manager wrappers such as op plugin run -- gh to inject credentials only at runtime and reduce credential exposure risk.
Enforce pnpm Release-Age Protection: Ensure minimum-release-age protections are enforced using pnpm v10.16 or later, as earlier versions silently ignore the setting. Implement CI validation to block unsupported pnpm versions.
Audit Repository Integrity: Review all repositories accessible to the affected developer token for unauthorized commits, force-pushes, workflow file modifications, workflow deletions (particularly CodeQL Analysis runs), SSH key additions, and token generation events during the May 11–18, 2026 dwell period.
Harden Publishing Pipelines: Require multi-party approval for all public package and extension publishing workflows across npm, VS Code Marketplace, Open VSX, and other registries. Eliminate single-actor publishing paths for production releases.
Verify Package Integrity: Package maintainers should review npm publish history and inspect Sigstore transparency logs (search.sigstore.dev) for unauthorized attestations generated using compromised OIDC tokens. Do not rely solely on cryptographic provenance validation.
Monitor GitHub Audit Logs: Implement SIEM-based monitoring and alerting for bulk workflow deletions, workflow file modifications, force-pushes, and anomalous GitHub Actions activity to improve detection of prolonged attacker dwell time.
Consider Full System Reimaging: Systems with confirmed exposure should be treated as fully compromised. For high-sensitivity developer environments with access to production infrastructure, CI/CD pipelines, or secrets managers, full workstation reimaging is the safest remediation approach.
Conclusion
The Nx Console v18.95.0 compromise demonstrates how a single upstream supply chain breach can escalate into a large-scale attack against developer environments through stolen credentials and trusted software distribution channels. By leveraging credentials compromised during the May 11, 2026 TanStack npm incident, the attacker published a trojanized VS Code extension capable of harvesting developer tokens, cloud credentials, and CI/CD secrets while establishing persistent access on affected systems. The incident highlights weaknesses in package protection controls, publishing workflows, and audit monitoring practices. The abuse of Sigstore attestation infrastructure further demonstrates that cryptographic provenance alone can no longer be treated as a sufficient trust signal. Organizations should immediately assess exposure, remove the compromised extension, rotate all accessible credentials, and strengthen controls across software development and CI/CD environments.
References
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised
https://github.com/nrwl/nx-console/issues/3139
https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html
https://www.bleepingcomputer.com/news/security/github-investigates-internal-repositories-breach-claimed-by-teampcp/
https://nx.dev/blog/nx-console-v18-95-0-postmortem