Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

A compromised version of the Nx Console extension distributed through the Microsoft VS Code Marketplace infected developers with a credential stealer. The malicious extension, rwl.angular-console version 18.95.0, reached over 2.2 million installations before security researchers identified the threat.

Nx Console serves as a user interface and plugin for popular development environments including VS Code, Cursor, and JetBrains IDEs. The extension simplifies access to Nx monorepo tools and commands, making it a widely trusted component in developer workflows.

The compromised build contained malicious code designed to harvest credentials from affected systems. Developers using version 18.95.0 faced exposure of authentication tokens, API keys, and other sensitive authentication material stored in their development environments.

The attack vector exploited the trust developers place in established marketplace extensions. By targeting a legitimate, widely-used tool, threat actors maximized potential impact across development teams. Developers typically grant extensions broad system access to function properly, creating ideal conditions for credential theft.

Microsoft removed the malicious version from the VS Code Marketplace following the disclosure. However, any developer who installed version 18.95.0 during the compromise window faces potential credential exposure. The threat extends beyond individual developers to entire organizations, as compromised credentials provide attackers pathways into corporate repositories, infrastructure, and cloud services.

Organizations should treat this incident as urgent. Development teams must immediately audit extension installations across their workforce and verify that users have upgraded to patched versions. Security teams should scan for suspicious activity tied to compromised developer accounts, including unauthorized repository access, secret exfiltration, or lateral movement attempts.

Developers bear responsibility for verifying extension sources and monitoring updates. Version pinning and extension allowlisting policies help reduce exposure to compromised marketplace packages. This incident underscores the supply chain risks embedded in development tool ecosystems, where a single comprom