On May 28, 2026, CISA released Alert AA26-138A detailing a critical supply chain compromise affecting the Nx Console—a popular VS Code extension for the Nx monorepo toolset—and associated GitHub repositories. This is not a theoretical vulnerability; it is an active exploitation event involving a nation-state threat actor capable of injecting malicious code into trusted software update mechanisms.
For defenders, this represents a worst-case scenario: a trusted development tool turned into a beacon for credential theft and lateral movement. The attacker's objective is clear: harvest GitHub Personal Access Tokens (PATs), SSH keys, and cloud credentials to persist within victim environments and move laterally into source code repositories. Immediate containment, credential rotation, and artifact hunting are required.
Technical Analysis
Affected Products & Platforms:
- Nx Console (VS Code Extension): Versions prior to
v20.0.1. - Nx DevKit (npm package): Versions
19.0.0through19.5.2. - Platform: Windows, macOS, and Linux workstations where VS Code and Node.js are installed.
CVE Identifier:
- CVE-2026-3011 (CVSS 9.8, Critical): Remote Code Execution (RCE) via malicious extension update mechanism.
Attack Chain & Mechanism:
- Initial Compromise: The threat actor compromised the build pipeline or publishing credentials for the Nx Console extension on the Visual Studio Marketplace and the
@nx/devkitnpm package. - Artifact Injection: A malicious backdoored component was injected into the extension's auto-update routine. This component is obfuscated JavaScript designed to blend in with legitimate Node.js processes.
- Execution: Upon loading the VS Code workspace or running
npx nx, the malicious script executes. - Objectives (TTPs):
- Credential Theft: The script searches for and exfiltrates
~/.git-credentials,~/.npmrc, and SSH private keys (id_rsa,id_ed25519). - GitHub Token Harvesting: It intercepts OAuth tokens stored in the VS Code storage (e.g.,
tokens.). - C2 Beaconing: Establishes a reverse shell or HTTPs connection to actor-controlled infrastructure (IOCs listed below) to download further payloads.
- Credential Theft: The script searches for and exfiltrates
Exploitation Status:
- Confirmed Active Exploitation: CISA has confirmed this vulnerability is being exploited in the wild targeting software development companies and critical infrastructure sectors.
- CISA KEV: Added to the Known Exploited Vulnerabilities Catalog with a due date of June 18, 2026.
Detection & Response
Sigma Rules
The following Sigma rules detect the suspicious process execution patterns associated with the backdoored extension and the unauthorized access to Git credentials.
YAML
---
title: Suspicious Child Process of VS Code Host
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects VS Code (Code.exe) spawning a shell or script interpreter, indicative of a malicious extension executing code. Nx Console specifically leverages Node.js, but direct shell spawns are anomalous.
references:
- https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories
author: Security Arsenal
date: 2026/05/29
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Code.exe'
- '\Code - Insiders.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
filter:
# Filter out legitimate debugging or terminal usage if necessary, but prioritize alerting in high-security environments
CommandLine|contains:
- 'devtools'
- 'debug'
condition: selection and not filter
falsepositives:
- Developers using the Integrated Terminal (rarely spawns new processes directly from Code.exe parent without user action context)
level: high
---
title: Non-Git Process Accessing Git Credentials
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects processes other than git.exe, ssh-agent, or VS Code accessing .git-credentials or .npmrc files, a behavior consistent with the Nx Console supply chain attack.
references:
- https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories
author: Security Arsenal
date: 2026/05/29
tags:
- attack.credential_access
- attack.t1052.001
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\.git-credentials'
- '\.npmrc'
- '\_netrc'
filter_legit:
Image|endswith:
- '\git.exe'
- '\node.exe' # node often reads npmrc, check context
- '\Code.exe'
- '\ssh-agent.exe'
filter_node_npmrc: # Node accessing npmrc is generally okay, but context matters
TargetFilename|contains: '\.npmrc'
Image|endswith: '\node.exe'
condition: selection and not filter_legit and not filter_node_npmrc
falsepositives:
- Custom scripts managing git auth
level: high
KQL (Microsoft Sentinel)
This query hunts for the specific network indicators and process anomalies associated with this campaign in DeviceNetworkEvents and DeviceProcessEvents.
KQL — Microsoft Sentinel / Defender
// Hunt for suspicious network connections from VS Code or Node processes
let IOCs = dynamic(["185.220.101.10", "c2-panel.nx-update[.]com"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("Code.exe", "node.exe", "npm.cmd")
| where RemoteUrl has_any (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend AlertDetail = "Potential C2 Beaconing from Compromised DevTool";
// Correlate with file creation of suspicious scripts in temp directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "Code.exe"
| where ProcessCommandLine contains "--inspect" or ProcessCommandLine contains "eval"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath
| extend AlertDetail = "Anomalous Code Execution from VS Code";
Velociraptor VQL
This artifact hunts for the presence of the malicious extension ID or specific file modifications associated with the compromise on disk.
VQL — Velociraptor
-- Hunt for malicious Nx Console extension artifacts
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/*/*/.vscode/extensions/nrwl.angular-console-*/**")
WHERE Mtime > timestamp("2026-05-20")
-- Check for malicious npm package versions in cache
SELECT FullPath, Size, Mtime
FROM glob(globs="/Users/*/.npm/_cacache/*-devkit-19.*")
-- Note: Adjust globs for Windows (C:\Users\...\AppData\Roaming\npm-cache)
-- Scan for recent modifications to git credential files
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*/.git-credentials", "/Users/*/.git-credentials", "/C/Users/*/.git-credentials")
WHERE Mtime > timestamp("2026-05-20")
Remediation Script (PowerShell)
This script assists in identifying and removing the vulnerable extension and checking for the presence of the malicious npm package.
PowerShell
# Remediation Script for Nx Console Supply Chain Compromise
# Requires Administrator Privileges
Write-Host "[+] Starting Remediation for Nx Console Compromise..." -ForegroundColor Cyan
# 1. Define Vulnerable Extension ID and Versions
$VulnerableExtensions = @("nrwl.angular-console")
$VSCodeExtensionsPath = "$env:USERPROFILE\.vscode\extensions"
# 2. Check for vulnerable Nx Console installation
if (Test-Path $VSCodeExtensionsPath) {
Write-Host "[*] Scanning VS Code Extensions..." -ForegroundColor Yellow
Get-ChildItem -Path $VSCodeExtensionsPath -Directory | Where-Object { $_.Name -like "*angular-console*" } | ForEach-Object {
$ExtPath = $_.FullName
$PackageJson = "$ExtPath\package."
if (Test-Path $PackageJson) {
$Manifest = Get-Content $PackageJson | ConvertFrom-Json
$Version = $Manifest.version
Write-Host "[!] Found Nx Console Version: $Version at $ExtPath" -ForegroundColor Red
# Action: Uninstall Vulnerable Extension
Write-Host "[*] Uninstalling vulnerable extension..." -ForegroundColor Yellow
Remove-Item -Path $ExtPath -Recurse -Force
Write-Host "[+] Extension removed." -ForegroundColor Green
}
}
}
# 3. Audit NPM Cache for malicious @nx/devkit
$NpmCachePath = "$env:APPDATA\npm-cache" # Windows default
if (-not (Test-Path $NpmCachePath)) { $NpmCachePath = "$env:USERPROFILE\AppData\Roaming\npm-cache" }
if (Test-Path $NpmCachePath) {
Write-Host "[*] Scanning NPM Cache for @nx/devkit v19.x..." -ForegroundColor Yellow
$MaliciousPackages = Get-ChildItem -Path $NpmCachePath -Recurse -Filter "*-devkit-19*" -ErrorAction SilentlyContinue
if ($MaliciousPackages) {
Write-Host "[!] Found potentially malicious npm cache entries." -ForegroundColor Red
# Action: Purge NPM Cache
Write-Host "[*] Purging NPM Cache..." -ForegroundColor Yellow
npm cache clean --force
Write-Host "[+] NPM Cache purged." -ForegroundColor Green
}
}
Write-Host "[+] Remediation Complete. Please rotate GitHub Tokens and SSH keys immediately." -ForegroundColor Cyan
Remediation
- Patch Immediately: Update Nx Console to version
v20.0.1or later immediately via the VS Code Extensions Marketplace. Verify the digital signature of the extension if possible. - Credential Rotation: Assume compromise. Rotate all GitHub Personal Access Tokens (PATs), OAuth tokens, and SSH keys used by developers who utilized the vulnerable versions of the extension.
- Audit Repositories: Conduct a forensic review of GitHub repositories accessed by compromised workstations between May 20, 2026, and present. Look for unauthorized commits, added users, or modified webhook URLs.
- NPM Cache Sanitization: Run
npm cache clean --forceon all build agents and developer workstations to remove the malicious@nx/devkitpackage artifacts. - Network Blocking: Block network traffic to the identified C2 infrastructure (IOCs provided in CISA AA26-138A) at the perimeter.
Official Vendor Advisory:
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
incident-responseransomwarebreach-responseforensicsdfircisa-aa26-138asupply-chainnx-console
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.