On May 18, 2026, a poisoned version of the Nx Console Visual Studio Code extension β€” one of the most widely installed developer tools in the ecosystem, with more than 2.2 million installations β€” was published to the Microsoft VS Code Marketplace. The malicious version, v18.95.0, was live for approximately 11 minutes before the Nx team detected and removed it.

Eleven minutes was enough.

The compromised extension silently fetched a multi-stage credential-stealing payload, harvested tokens across six different platforms, and exfiltrated them over three independent channels. Security researchers have linked the attack to TeamPCP, the supply chain threat group currently conducting a broad campaign against developer infrastructure β€” the same group behind the Mini Shai-Hulud campaign, the SAP npm compromise, and the GitHub internal repository breach confirmed the following day.

What Happened in Those 11 Minutes

The malicious extension (published under nrwl.angular-console, the official Nx Console publisher ID) executed its attack within seconds of a developer opening any workspace in VS Code.

The payload retrieval was designed to be invisible: the extension fetched a 498 KB obfuscated payload not from an external command-and-control server β€” which would be obvious to network monitoring β€” but from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository. Because the payload was fetched from a trusted, legitimate repository, outbound traffic appeared entirely normal.

Once fetched and executed, the payload conducted a systematic credential harvest across:

  • GitHub tokens β€” validated live against the GitHub API, with write-access tokens specifically prioritized
  • npm tokens β€” extracted from .npmrc configuration files
  • AWS credentials β€” from environment variables, credentials files, and instance metadata
  • HashiCorp Vault tokens
  • Kubernetes configuration and service account tokens
  • 1Password session tokens

Exfiltration used three simultaneous channels: HTTPS POST requests to attacker-controlled infrastructure, the GitHub API, and DNS tunneling β€” ensuring credential delivery even if one channel was blocked by a corporate firewall or proxy.

On macOS, the payload also installed a persistent Python backdoor that used the GitHub Search API as a dead-drop command-and-control channel. Commands issued to the backdoor were signed with a 4096-bit RSA key and disguised as search queries, making the C2 traffic indistinguishable from normal GitHub API usage without deep packet inspection.

How the Extension Was Poisoned

The exact mechanism by which the attackers gained publish access to the official nrwl.angular-console publisher ID on the VS Code Marketplace has not been publicly confirmed. Three possibilities are standard in incidents of this type: direct compromise of a developer’s marketplace account credentials, a compromised CI/CD pipeline with publish permissions, or a supply chain attack on an upstream dependency used in the build process.

The concealment technique β€” fetching the payload from an orphan commit inside the legitimate nrwl/nx repository rather than an external server β€” suggests careful pre-planning. Orphan commits are a known technique for hiding payloads in trusted repositories: they are not attached to any branch and don’t appear in normal git history, but remain accessible to anyone who knows the commit SHA. The attacker either pushed the orphan commit using credentials obtained through an earlier compromise of the Nx GitHub organization, or embedded it via another method during the build pipeline.

StepSecurity, which published the initial technical analysis, noted that the attack shares infrastructure and payload characteristics with the broader Shai-Hulud / Mini Shai-Hulud campaign attributed to TeamPCP.

11 Minutes, 2.2 Million Potential Targets

The detection window β€” just 11 minutes between 12:36 and 12:47 UTC β€” limits the number of developers who were actively opening workspaces during that narrow slot. Not every one of the 2.2 million Nx Console users would have been affected. VS Code extensions with auto-update enabled would have received v18.95.0 automatically during that window; developers who updated manually or had not opened VS Code during those 11 minutes would not have executed the malicious version.

The actual impact pool is impossible to determine precisely. StepSecurity recommends that any developer who had VS Code open with the Nx Console extension during 12:36–12:47 UTC on May 18, 2026, treat their entire credential set as compromised.

What This Attack Tells Us About the VS Code Marketplace

The VS Code Marketplace has become a high-value attack surface for supply chain threat actors. With over 50,000 published extensions and hundreds of millions of installations, it represents one of the largest and most trusted software distribution channels in the developer ecosystem. Microsoft’s extension verification processes focus primarily on malware scanning of submitted packages β€” they are not designed to detect a legitimate publisher account being used to push a malicious update.

The Nx Console incident follows a pattern that has been repeating across developer ecosystems throughout 2026: attackers obtain publisher credentials, push a malicious version, harvest credentials from the brief exposure window, and rely on the trusted relationship between developer and tool to bypass suspicion. The GitHub internal repository breach β€” confirmed the day after the Nx Console incident β€” fits this exact pattern, with a GitHub employee installing a similarly poisoned VS Code extension that gave attackers their initial foothold.

Immediate Actions

  • Check your VS Code extension update history β€” if Nx Console v18.95.0 was installed at any point on May 18 between 12:36 and 12:47 UTC, rotate all credentials immediately
  • Rotate GitHub tokens β€” particularly any tokens with repository write access
  • Rotate AWS credentials and IAM keys β€” including any credentials that may have been in environment variables or credential files
  • Review Kubernetes kubeconfig files β€” any cluster access credentials on an affected machine should be considered exposed
  • Rotate 1Password session tokens and audit vault access logs for the May 18 window
  • Disable VS Code auto-update for extensions in high-security environments β€” or gate extension updates behind a review process
  • Audit installed VS Code extensions broadly β€” the Nx Console incident is unlikely to be isolated

Sources