Nx Console 18.95.0: Compromised VS Code Extension

Nx Console 18.95.0, a widely used VS Code extension for Nx monorepo development, was distributed as a compromised package containing a credential stealer. Attackers managed to publish a malicious version through the official extension channel, putting thousands of developers at risk without any obvious warning signs. Supply chain attacks targeting IDE extensions are becoming a reliable vector precisely because developers trust their tooling implicitly.

How the Nx Console Supply Chain Attack Worked

The attackers published version 18.95.0 of the Nx Console extension with malicious code embedded alongside the legitimate functionality. The extension continued to work normally, which is standard practice for this type of attack. Keeping the tool functional reduces suspicion and extends the window for credential harvesting.

Once installed, the malicious code targeted stored credentials, environment variables, and authentication tokens accessible within the VS Code process context. Extensions run with significant privileges inside the editor. They can read workspace files, access environment variables passed into the terminal, and interact with secrets managers or .env files that developers routinely use during local development. That access makes a rogue extension an extremely efficient credential harvesting tool.

The attack follows a pattern seen with npm and PyPI package hijacks, but applied directly to the VS Code Marketplace. An account compromise or a supply chain pivot at the publisher level is likely the entry point, though full details on the initial compromise vector are still emerging.

Who Is at Risk

Any developer who installed or auto-updated to Nx Console 18.95.0 is potentially affected. VS Code extensions update silently by default. A developer who had a previous clean version installed could have received the malicious build without any manual action on their part.

The credential stealer likely targeted cloud provider tokens (AWS, GCP, Azure), Git credentials, SSH keys, and .env files. Monorepo developers working with Nx often have elevated access across multiple services and deployment pipelines, which makes them high-value targets. A single compromised set of credentials in this context can cascade into a full infrastructure breach.

Immediate Steps to Protect Your Development Environment

First, check your installed extension version. If you have 18.95.0 installed, remove it immediately and roll back to the last known-good version or wait for the Nx team to publish a verified clean release.

Rotate credentials. Any secrets, tokens, or API keys that existed in your workspace during the window when 18.95.0 was active should be treated as compromised. That includes environment variables, cloud CLI credentials cached locally, and any .env files that were open or readable.

Audit your extension list broadly. This incident is a good forcing function to review every installed VS Code extension and remove anything you are not actively using. Check the VS Code extension security best practices for a structured approach.

Disable auto-updates for extensions in environments where you are handling sensitive credentials. This trades convenience for a manual review step before any extension version change takes effect.

Detecting Malicious Extension Behavior

Runtime behavior analysis is difficult inside VS Code, but some signals are worth watching. Unexpected network connections from the Code process, unusual file access patterns in your home directory, or new outbound connections to unfamiliar endpoints during editor startup are indicators worth investigating. Endpoint detection tools that log process-level network activity can catch this.

Run a web vulnerability scan on your exposed services to check whether any credentials harvested from your environment have already been used to probe or alter your infrastructure.

FAQ

How do I know if I installed the compromised Nx Console 18.95.0? Open VS Code, go to the Extensions panel, find Nx Console, and check the installed version. If it shows 18.95.0, remove it immediately and rotate any credentials accessible from your development environment.

Does uninstalling the extension remove the threat? Uninstalling stops future execution of the malicious code, but it does not undo any credential theft that already occurred. Treat all secrets present during the infection window as compromised and rotate them.

Are other Nx tools or the Nx CLI affected? Current reporting points specifically to the Nx Console VS Code extension at version 18.95.0. The Nx CLI installed via npm appears unaffected, but monitor official Nx communications for updates as the investigation continues.

Scan your web applications for exposure from potentially stolen credentials at VibeWShield.