A compromised version of the Nx Console VS Code extension, version 18.95.0, published as rwl[.]angular-console, has been linked to a credential stealer and supply chain attack.
The extension, with more than 2.2 million installations on the VS Code Marketplace, allegedly fetched a 498 KB obfuscated payload within seconds of a developer opening a workspace, triggering a multi-stage tool that harvests secrets and exfiltrates them via HTTPS, GitHub API and DNS tunnelling, while also installing a Python backdoor on macOS.
The incident trace points to a compromised developer’s GitHub credentials, with the root cause being an abovementioned developer’s machine, and the official advisory notes that the credentials have since been temporarily revoked. Affected users are urged to update to 18.100.0 or later, terminate related processes, delete artefacts, and rotate all credentials reachable from the affected machine; the Open VSX version of the extension is not affected.
The advisory also reveals that the orphaned commit introduced the stealer, and that the payload includes full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation.