Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Briefly

"Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository. The payload is a multi-stage credential stealer and supply chain poisoning tool that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further commands."

"The access afforded by the credentials is said to have been abused to push an orphaned, unsigned commit to nrwl/nx, which introduces the stealer malware. The malicious action is triggered as soon as a developer opens any workspace in VS Code, leading to the installation of the Bun JavaScript runtime to run an obfuscated index.js payload. The malware runs checks to avoid infecting machines likely located in the Russian/CIS time zones and launches itself as a detached background process to kick off the credential harvesting workflow, allowing it to retrieve secrets."

"The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. The Open VSX version has not been affected by the incident."

"In an advisory issued Monday, the maintainers of the extension said the root cause has been traced to one of its developers, whose machine was compromised in a recent security incident that leaked their GitHub credentials. Although the nature of the prior incident was not disclosed, the developer's credentials have since been temporarily revoked."