Nx Console VS Code extension shipped credential stealer

Nine months after a high-profile worm called s1ngularity tore through the Nx ecosystem, a new attacker briefly published a malicious version of the popular Nx Console VS Code extension on the Visual Studio Marketplace and OpenVSX on May 18, 2026 — and according to StepSecurity, this one came a step closer to abusing Sigstore for legitimate-looking provenance attestations than any earlier supply-chain compromise.

Nx Console is a Visual Studio Code companion extension to the Nx build system. After the 2025 s1ngularity incident, Nrwl, the company behind Nx, added a manual-approval gate to the nx npm publish pipeline. Nx Console kept its older setup, in which a single organization member could publish a new extension version unattended. On May 18, an attacker used a stolen contributor credential to publish a malicious version 18.95.0 to both marketplaces.

According to Nrwl, the credential traced back to the TanStack Mini Shai-Hulud compromise a week earlier. That payload had stolen GitHub CLI tokens from a Nrwl developer's machine — enough access to run workflows on the Nx Console repository as a contributor and reach the extension publish step. The malicious build was live on the Visual Studio Marketplace for 18 minutes, from 12:30 to 12:48 UTC, and on OpenVSX for 36 minutes, from 12:33 to 13:09 UTC.

The extension fetched and ran an obfuscated, multi-channel credential stealer. StepSecurity, which published the most detailed dissection of the payload, said it harvested Vault tokens, .npmrc credentials, AWS metadata endpoints and Secrets Manager entries, GitHub ghp_, gho_, and ghs_ tokens, GitHub Actions secrets, 1Password CLI sessions, on-disk private keys, database connection strings, GCP service accounts, and Docker credentials. Exfiltration ran over HTTPS, through the GitHub API using the victim's own tokens, and over DNS. On Linux, the payload attempted sudoers injection. On macOS, it wrote ~/.local/share/kitty/cat.py and registered ~/Library/LaunchAgents/com.user.kitty-monitor.plist as a LaunchAgent.

StepSecurity also identified Sigstore-related code paths in the payload: requests for short-lived signing certificates from fulcio.sigstore.dev, log entries to rekor.sigstore.dev, and slsa.dev/provenance/v1 attestations through npm's OIDC trusted-publisher flow. With the right OIDC material and enough time on a runner, the attacker could in principle have published follow-on npm versions carrying valid provenance attestations — a meaningful escalation over earlier worms, where forged provenance was not in reach. The exposure window closed before any such publish landed.

Microsoft and OpenVSX reported 28 and 41 downloads respectively for version 18.95.0. Nrwl's internal telemetry, however, counted roughly 6,000 extension activations from VS Code over the next two days. Nrwl shipped 18.100.0, added a two-admin approval step to Nx Console publishes to mirror the nx npm pipeline, and instructed affected users to update, kill any cat.py or __DAEMONIZED processes, unload the LaunchAgent, delete the persistence files, and rotate every credential reachable from the machine.

Motive

Credential Theft

Cause

Compromised Account Credentials

Transitive

Yes

User Impact

6000

• Locationmirror: github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
• Locationmirror: github.com/nrwl/nx-console/issues/3139
• cveCVE-2026-48027
• ghsaGHSA-c9j4-9m59-847w
• file~/.local/share/kitty/cat.py
• file~/Library/LaunchAgents/com.user.kitty-monitor.plist
• file/var/tmp/.gh_update_state
• file/tmp/kitty-*
• commandpython cat.py
• environment_variable__DAEMONIZED=1
• domainapi.github.com
• domainfulcio.sigstore.dev
• domainrekor.sigstore.dev
• urlhttps://slsa.dev/provenance/v1

• Microsoft and OpenVSX reported 28 and 41 downloads for 18.95.0, but Nrwl's internal analytics counted roughly 6,000 extension activations in the two days following the incident. The impact users field uses the activation figure.
• Nrwl attributes the contributor compromise to the TanStack Mini Shai-Hulud incident a week earlier (see [[tanstack-router]]), which leaked GitHub CLI credentials and let the attacker reach the Nx Console publishing path.
• The earlier August 2025 s1ngularity attack on nx and @nrwl/nx packages is recorded separately as [[nx-build]]; that record's nx-console artifact covers extension exposure during the npm compromise, not this direct marketplace publish.

• Nx Console VS Code Extension Compromised - StepSecuritystepsecurity.io