HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Compromised Nx Console VS Code Extension (v18.95.0) Harvests Developer Credentials

A malicious fork of the widely used Nx Console extension for VS Code was uploaded to the marketplace, embedding a credential stealer that captures API tokens, SSH keys, and other development secrets. With over 2.2 M installations, the threat poses a broad supply‑chain risk for any organization that allows developers to install third‑party IDE extensions.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Compromised Nx Console VS Code Extension (v18.95.0) Harvests Developer Credentials

What Happened – A malicious fork of the popular Nx Console extension (rwl.angular‑console v18.95.0) was uploaded to the Visual Studio Code Marketplace. The package contains a hidden credential‑stealing module that captures API tokens, SSH keys, and other development credentials and exfiltrates them to an attacker‑controlled server.

Why It Matters for TPRM

  • Third‑party development tools can become a covert supply‑chain attack vector, compromising the credentials of your engineering teams.
  • Stolen tokens often grant access to source‑code repositories, CI/CD pipelines, and cloud environments, amplifying downstream risk.
  • The extension’s 2.2 M+ installations mean a broad exposure across many organizations, including those that rely on the vendor for critical build automation.

Who Is Affected – Software development firms, SaaS providers, fintech, health‑tech, and any organization that permits developers to install VS Code extensions from the public marketplace.

Recommended Actions

  • Immediately audit installed VS Code extensions and remove rwl.angular‑console v18.95.0.
  • Rotate all credentials that may have been stored on affected developer machines (GitHub tokens, SSH keys, cloud API keys).
  • Enforce a whitelist‑only policy for IDE extensions and monitor marketplace submissions for your critical tooling.

Technical Notes – The malicious code is delivered via a compromised NPM package that is bundled into the VS Code extension. It activates on extension load, reads credential files from typical locations (~/.ssh, ~/.npmrc, ~/.git-credentials), and sends them over HTTPS to a C2 domain. No CVE is associated because the vulnerability resides in the supply‑chain process, not a software flaw. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →