Researchers uncovered a compromised Nx Console extension, rwl.angular-console 18.95.0, on the Microsoft Visual Studio Code Marketplace that silently executed an obfuscated payload to steal developer secrets and enable supply chain abuse. The attack was traced to leaked GitHub credentials from a developer account and affected the Nx ecosystem, prompting users to update immediately and rotate exposed credentials. #NxConsole #rwlangularconsole #MicrosoftVisualStudioCodeMarketplace #nrwlnx #GitHub
Keypoints
- The compromised rwl.angular-console 18.95.0 extension was published to the VS Code Marketplace.
- The payload fetched and executed a hidden 498 KB obfuscated file from the nrwl/nx GitHub repository.
- The malware stole secrets from 1Password, Anthropic Claude Code, npm, GitHub, and AWS.
- The attack used Sigstore, Fulcio, and SLSA to help make malicious packages look legitimate.
- Nx advised users to upgrade to 18.100.0 or later and remove any infected artifacts.
Read More: https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html