A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets across thousands of machines.
The incident marks the second supply chain attack against the Nx ecosystem in under a year, raising serious concerns about the security of open-source developer tooling relied upon by millions worldwide.
Version 18.95.0 of the extension, identified as nrwl.angular-console, was pushed to the marketplace with malicious code hidden inside its bundled main.js file.
With over 2.2 million installations across the globe, the extension is a daily staple in many professional development environments.
Within seconds of a developer opening any workspace, the compromised extension silently fetched and ran a 498 KB obfuscated payload pulled from a hidden orphan commit buried deep inside the official nrwl/nx GitHub repository.
Researchers at StepSecurity identified the full attack and illustrated in a report shared with Cyber Security News, a detailed breakdown of its complex, multi-stage infection chain.
The payload is described as a sophisticated credential stealer that reaches far beyond simple file theft, targeting GitHub tokens, npm credentials, AWS secrets, HashiCorp Vault tokens, Kubernetes configurations, and even 1Password vault items that were accessible through the command line.
The malicious version remained live for just eleven minutes before the Nx team detected the rogue publish and removed it from the marketplace at 12:47 UTC.
Despite that short window, the threat actor had designed the payload to operate with speed, daemonizing itself in the background and running multiple credential collectors simultaneously to maximize the volume of secrets harvested before anyone could intervene.
What makes this attack especially alarming is its use of Sigstore attestation logic, which could give the attacker the ability to publish downstream npm packages carrying valid, cryptographically signed provenance.
This means packages touched by the attacker could pass standard signature verification checks, potentially spreading the damage well beyond the developer machines that were directly exposed during the eleven-minute compromise window.
Hackers Abuse Microsoft Entra ID Accounts
The attack started when a contributor’s GitHub personal access token was stolen during a separate, earlier supply chain incident.
Using that stolen token, the attacker pushed an orphan commit, referenced as 558b09d7, to the nrwl/nx repository at 03:18 UTC.
Storm-2949 attack (Source – Microsoft)
This commit had no parent commits and was completely unreachable from any branch, making it invisible to anyone who did not already know the exact SHA.
The orphan commit replaced the entire Nx monorepo with just two files: a package.json and a heavily obfuscated index.js payload.
At 12:36 UTC, the attacker then used stolen VS Code Marketplace publishing credentials to release the poisoned extension, which was configured to silently fetch and execute that hidden payload the moment a developer opened any workspace, all without showing any visible sign of unusual activity.
Credential Theft and Persistent Backdoor
The payload ran six specialized collector classes simultaneously, each built to harvest a different category of secrets.
On Linux systems, it also probed for passwordless sudo access, and if successful, injected a sudoers rule to establish persistent root-level access on the affected host.
On macOS, the payload installed a Python-based backdoor at ~/.local/share/kitty/cat.py, registered as a LaunchAgent to run automatically every hour.
This backdoor used the GitHub Search API as a covert command-and-control channel, polling for attacker-signed instructions every sixty minutes, an approach that blends in naturally with normal developer traffic and is unlikely to trigger alerts from corporate firewalls or endpoint detection tools.
Anyone who had Nx Console installed with auto-update enabled and opened a workspace between 12:36 and 12:47 UTC on May 18 should treat their machine as fully compromised.
StepSecurity recommends updating immediately to version 18.100.0 or later, removing all persistence artifacts, killing orphaned background processes, and rotating every credential reachable from the affected machine, including GitHub tokens, npm tokens, SSH keys, AWS credentials, and any secrets that were held in process memory at the time of compromise.
Indicators of Compromise (IoCs)
TypeIndicatorDescriptionSHA-256 Hash1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8Malicious VSIX file (v18.95.0) SHA-256 Hashb0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74Malicious main.js inside the VSIX SHA-256 Hashe7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1Obfuscated payload index.js from orphan commit SHA-256 Hash43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9Dropper package.json from orphan commit SHA-256 Hash228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3Clean VSIX (v18.94.0) for reference comparison SHA-256 Hashcb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990Remediated VSIX (v18.100.0) Git SHA558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2Malicious orphan commit in nrwl/nx Git SHAba642fe2c7c65e42dd7f6444b83023dc6827e08cCommit tree of orphan commit Git SHAacfc3f957a63b4cde93ff645f2b6bf26a8ed1bbfindex.js blob SHA Git SHA9d88f040c44b5f4d5f9db15ff89310776c168e99package.json blob SHA URLapi.github.com/search/commits?q=firedalazerPython C2 backdoor dead-drop polling endpoint IP Address169.254.169.254AWS IMDS endpoint queried for credential theft IP Address169.254.170.2ECS container metadata endpoint targeted IP Address127.0.0.1:8200HashiCorp Vault local endpoint targeted Domainfulcio.sigstore.devUsed for Sigstore attestation forgery Domainrekor.sigstore.devUsed for Sigstore transparency log entries Domainbun.sh/installBun runtime installation for payload execution File Path~/.local/share/kitty/cat.pyPython C2 backdoor dropped on macOS/Linux File Path~/Library/LaunchAgents/com.user.kitty-monitor.plistmacOS LaunchAgent for hourly persistence File Path/var/tmp/.gh_update_stateC2 anti-replay state file File Path/tmp/kitty-*Temporary staging directories used by payload Extension Versionnrwl.angular-console@18.95.0Compromised VS Code extension version Environment Variable__DAEMONIZED=1Set on daemonized malicious background process
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data appeared first on Cyber Security News.
