Compromised Nx Console VS Code Extension (v18.95.0) Harvests Developer Credentials
What Happened – A malicious fork of the popular Nx Console extension (rwl.angular‑console v18.95.0) was uploaded to the Visual Studio Code Marketplace. The package contains a hidden credential‑stealing module that captures API tokens, SSH keys, and other development credentials and exfiltrates them to an attacker‑controlled server.
Why It Matters for TPRM –
- Third‑party development tools can become a covert supply‑chain attack vector, compromising the credentials of your engineering teams.
- Stolen tokens often grant access to source‑code repositories, CI/CD pipelines, and cloud environments, amplifying downstream risk.
- The extension’s 2.2 M+ installations mean a broad exposure across many organizations, including those that rely on the vendor for critical build automation.
Who Is Affected – Software development firms, SaaS providers, fintech, health‑tech, and any organization that permits developers to install VS Code extensions from the public marketplace.
Recommended Actions –
- Immediately audit installed VS Code extensions and remove rwl.angular‑console v18.95.0.
- Rotate all credentials that may have been stored on affected developer machines (GitHub tokens, SSH keys, cloud API keys).
- Enforce a whitelist‑only policy for IDE extensions and monitor marketplace submissions for your critical tooling.
Technical Notes – The malicious code is delivered via a compromised NPM package that is bundled into the VS Code extension. It activates on extension load, reads credential files from typical locations (~/.ssh, ~/.npmrc, ~/.git-credentials), and sends them over HTTPS to a C2 domain. No CVE is associated because the vulnerability resides in the supply‑chain process, not a software flaw. Source: The Hacker News