Back to Intelligence

Compromised Nx Console v18.95.0: VS Code Supply Chain Attack and Credential Theft

SA
Security Arsenal Team
May 19, 2026
6 min read

Introduction

Security teams need to be on immediate alert regarding a critical supply chain compromise affecting the Visual Studio Code (VS Code) ecosystem. Cybersecurity researchers have identified a malicious version of the popular rwl.angular-console extension (version 18.95.0) published to the official VS Code Marketplace. With over 2.2 million installations historically, this specific compromised build acts as a credential stealer, targeting developer environments to exfiltrate sensitive authentication tokens and keys. This is not a theoretical vulnerability; it is an active, in-the-wild abuse of trust. Defenders must assume that any developer workstation running this version is currently compromised.

Technical Analysis

  • Affected Product: Nx Console (Extension ID: rwl.angular-console)
  • Affected Platforms: Visual Studio Code, Cursor, JetBrains (via the Nx Console plugin)
  • Affected Version: 18.95.0 (Specifically malicious)
  • CVE Status: No specific CVE has been assigned at the time of this analysis, as this is a compromise of a marketplace artifact rather than a traditional software vulnerability.

Attack Chain and Mechanism:

  1. Initial Compromise: The attacker compromised the publisher account or build pipeline of the Nx Console extension, allowing them to publish a signed, malicious update (v18.95.0) to the official marketplace.
  2. Installation: VS Code users received the update via the standard automatic update mechanism or installed it manually, trusting the source (Microsoft Marketplace).
  3. Execution: Upon loading the extension, the malicious code executes within the context of the VS Code host process (typically Code.exe or electron).
  4. Payload (Credential Theft): The artifact contains code designed to scan for and exfiltrate credentials, including AWS keys, GitHub tokens, and other sensitive configuration files often present in developer environments.
  5. Exfiltration: Stolen data is transmitted to an attacker-controlled command-and-control (C2) server.

Exploitation Status:

This is confirmed active exploitation. The malicious package is currently available in the marketplace and has been downloaded by unsuspecting developers.

Detection & Response

━━━ DETECTION CONTENT ━━━

The following detection mechanisms focus on identifying the presence of the specific malicious extension version and its artifacts on endpoints.

YAML
---
title: Installation of Compromised Nx Console Extension v18.95.0
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the installation or presence of the compromised rwl.angular-console extension version 18.95.0 which contains a credential stealer.
references:
  - https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: '\.vscode\extensions\rwl.angular-console-18.95.0'
  condition: selection
falsepositives:
  - Legitimate installation of this specific version (highly unlikely given current context)
level: critical
---
title: Installation of Compromised Nx Console Extension v18.95.0 (Linux/Mac)
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects the installation or presence of the compromised rwl.angular-console extension version 18.95.0 on Linux or macOS systems.
references:
  - https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains: '/.vscode/extensions/rwl.angular-console-18.95.0'
  condition: selection
falsepositives:
  - Legitimate installation of this specific version
level: critical
---
title: Potential VS Code Extension Host Spawn Suspicious Process
id: c3d4e5f6-7890-12ab-def0-3456789012cd
status: experimental
description: Detects suspicious child processes spawned by the VS Code extension host, which could indicate malicious activity from a compromised extension.
references:
  - https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\Code.exe' or ParentImage|endswith: '\helper.exe' or ParentImage|endswith: '\node.exe'
    ParentCommandLine|contains: '--extensionHost'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\bash.exe'
      - '\curl.exe'
  filter_legit_devtools:
    CommandLine|contains: 'git' or CommandLine|contains: 'npm' or CommandLine|contains: 'yarn'
  condition: selection_parent and selection_child and not filter_legit_devtools
falsepositives:
  - Developers running legitimate build scripts or terminal commands from within VS Code
level: medium
KQL — Microsoft Sentinel / Defender
// Hunt for the specific malicious extension version in file creation logs
DeviceFileEvents
| where FolderPath contains ".vscode/extensions"
| where FolderPath contains "rwl.angular-console"
| where FolderPath contains "18.95.0"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, ActionType
| extend Tip = "Verify if this is the compromised Nx Console version and remove immediately."
VQL — Velociraptor
-- Hunt for the malicious Nx Console extension directory on endpoints
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="/*/.vscode/extensions/rwl.angular-console-18.95.0/*")
LIMIT 100
PowerShell
# Remediation Script: Detect and Remove Malicious Nx Console Extension
# Requires Administrator privileges

$ErrorActionPreference = "Stop"

Write-Host "Starting scan for compromised Nx Console extension (rwl.angular-console-18.95.0)..." -ForegroundColor Cyan

# Define potential VS Code extension paths (User and System scope)
$extensionPaths = @(
    "$env:USERPROFILE\.vscode\extensions",
    "$env:APPDATA\Code\extensions",
    "C:\Program Files\Microsoft VS Code\extensions",
    "C:\Program Files (x86)\Microsoft VS Code\extensions"
)

$maliciousFolderName = "rwl.angular-console-18.95.0"
$foundThreat = $false

foreach ($basePath in $extensionPaths) {
    if (Test-Path $basePath) {
        $targetPath = Join-Path -Path $basePath -ChildPath $maliciousFolderName
        
        if (Test-Path $targetPath) {
            Write-Host "[THREAT FOUND] Malicious extension detected at: $targetPath" -ForegroundColor Red
            $foundThreat = $true
            try {
                # Backup logs before removal
                $logsPath = Join-Path -Path $targetPath -ChildPath "extension.vsixmanifest"
                if (Test-Path $logsPath) {
                    Write-Host "Analyzing manifest..." -ForegroundColor Yellow
                }

                Write-Host "Removing directory: $targetPath" -ForegroundColor Yellow
                Remove-Item -Path $targetPath -Recurse -Force -ErrorAction Stop
                Write-Host "[SUCCESS] Malicious extension removed." -ForegroundColor Green
            }
            catch {
                Write-Host "[ERROR] Failed to remove $targetPath. Manual deletion required. Error: $_" -ForegroundColor Red
            }
        }
    }
}

if (-not $foundThreat) {
    Write-Host "No instances of the malicious extension found on this system." -ForegroundColor Green
} else {
    Write-Host "" -NoNewline
    Write-Host "REMEDIATION ACTION REQUIRED:" -ForegroundColor Cyan
    Write-Host "1. Restart Visual Studio Code immediately."
    Write-Host "2. Reinstall the Nx Console extension from a verified clean version (e.g., 18.95.1+ or latest)."
    Write-Host "3. Assume credential compromise: Rotate all GitHub tokens, AWS keys, and other secrets stored on this host."
}

Remediation

  1. Immediate Uninstallation: Developers must immediately uninstall the rwl.angular-console extension if version 18.95.0 is present. This can be done via the VS Code Extensions pane (Ctrl+Shift+X) or by manually deleting the folder identified in the detection scripts.
  2. Update to Clean Version: Verify the publisher has released a patched version and update to the latest stable release. Ensure the hash matches the official release.
  3. Credential Rotation: Treat this incident as a confirmed breach of credentials. Developers must rotate:
    • GitHub Personal Access Tokens (PATs)
    • AWS Access Keys and Secret Keys
    • Docker Hub credentials
    • Any other secrets or API keys stored in environment variables or .env files accessible to VS Code.
  4. Environment Audit: Conduct a forensic review of logs on the affected workstation to identify any unauthorized access or exfiltration activity during the time the extension was installed.

Official Advisory: Check the Visual Studio Code Marketplace for the latest official statement and clean version releases.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemvs-codesupply-chainnx-console

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action