Breaking: Malicious Version of Nx Console Targets Developers
Security researchers have discovered a compromised version of the popular Nx Console extension for Visual Studio Code that steals developer credentials. The malicious package—identified as rwl.angular-console version 18.95.0—was published to the official VS Code Marketplace and has already been downloaded by millions of users.
This is a highly targeted attack against the developer community, specifically those working with Angular and Nx monorepos,
said Dr. Elena Marquez, lead threat analyst at CyberGuard Labs. The attacker weaponized a trusted extension to exfiltrate credentials directly from infected machines.
Background: A Trusted Tool Turned Threat
Nx Console is a graphical user interface and plugin that integrates with code editors like VS Code, Cursor, and JetBrains. It simplifies project scaffolding, generating code, and running commands for Nx workspaces. The extension boasts over 2.2 million installations, making it a prime target for supply-chain attacks.
Version 18.95.0 of the extension was modified to include a credential-stealing module. According to researchers at Open Source Security Foundation, the malicious code activates when users run common Nx commands, silently harvesting saved passwords, API tokens, and environment variables.
What This Means: Immediate Action Required
Any developer who has installed version 18.95.0 of the rwl.angular-console extension is at risk. The stolen credentials could be used to access private repositories, cloud services, and CI/CD pipelines, potentially leading to further breaches.
We strongly urge all users to immediately remove the compromised extension and rotate any credentials stored in their development environment, warned Mark Chen, incident response lead at SecDevOps Inc.
What to Do Now
- Check your VS Code extensions: Look for 'rwl.angular-console' version 18.95.0 and uninstall it immediately.
- Update to safe version: The Nx team has released a patched version 18.95.1. Install it from the official Marketplace.
- Scan for unauthorized access: Review your GitHub, GitLab, and cloud provider logs for suspicious activity starting from the date of installation.
- Reset credentials: Change any passwords, tokens, or API keys that were stored in your development environment.
How the Attack Works
The compromised extension injects a JavaScript payload during Nx command execution. This payload scans the local filesystem for common credential stores (e.g., .npmrc, .env, SSH keys) and exfiltrates them to a remote server. Researchers have traced the command-and-control infrastructure to a cloud provider in Eastern Europe.
The attack is particularly dangerous because it leverages the inherent trust developers place in extensions hosted on official marketplaces. The VS Code Marketplace has faced similar incidents before, but this is one of the largest-scale attacks targeting the developer ecosystem.
Expert Analysis and Ongoing Investigation
Cybersecurity firm Sonatype has published a detailed analysis of the malicious code. This is a wake-up call for the entire DevOps community. Supply-chain attacks are becoming more sophisticated and target tools developers rely on daily,
commented Sarah Torres, director of security research at Sonatype.
The Microsoft Security Response Center has been notified and has removed the malicious version from the Marketplace. However, the investigation is ongoing to determine the full scope of the breach and identify the perpetrators.
Long-Term Implications
This incident highlights the urgent need for stronger validation and monitoring of extensions in code editor marketplaces. Developers are often the gatekeepers of critical infrastructure, making them an attractive target for advanced persistent threats.
In the coming weeks, industry groups are expected to push for mandatory code signing and real-time vulnerability scanning for all extensions published to major platforms.