VERSION 18.95.0 of the Nx Console VS Code extension (nrwl[.]angular-console), published to the VS Code Marketplace, was found to contain malicious code that targets developer credentials, cloud infrastructure tokens, and CI/CD secrets. The compromised release, which affected users after an auto-update, was published outside the project's normal CI/CD pipeline and appears to have been introduced via stolen publishing credentials (VSCE_PAT).
The payload runs an obfuscated script on workspace activation and is linked to a dangling orphan commit on the nrwl/nx GitHub repository that is unsigned and not reachable from any branch. The researchers note this as the second major supply chain attack against the Nx ecosystem in under a year, following an August 2025 incident involving the nx npm package and several plugins.
Open VSX was not affected, and remediation guidance recommends updating to version 18.100.0 or later and rotating credentials, as well as auditing CI/CD environments and inspecting for persistence mechanisms and other indicators of compromise.