Introduction
A critical supply chain attack has compromised the trust chain of the widely used Nx Console extension for Visual Studio Code (VS Code). Threat actors successfully hijacked the account of a legitimate maintainer to publish a malicious build directly to the official Visual Studio Marketplace.
This is not a theoretical vulnerability; it is an active breach scenario. The malicious extension is designed to steal developer authentication tokens, specifically targeting GitHub credentials, allowing attackers to pivot into private repositories and source code pipelines. Defenders must treat this as a critical incident: any environment with the affected extension installed must be considered compromised until the malicious version is removed and all exposed credentials are rotated.
Technical Analysis
Affected Products and Platforms
- Platform: Visual Studio Code (Windows, macOS, Linux)
- Extension: Nx Console (Publisher:
nrwl, Extension ID:nrwl.angular-console) - Attack Vector: Supply Chain Compromise (Account Takeover)
Vulnerability and Attack Chain
The attack bypasses traditional security controls by exploiting the inherent trust placed in official marketplace publishers. The attack chain is as follows:
- Initial Compromise: A threat actor compromises the developer account associated with the
nrwl.angular-consoleextension. - Malicious Publication: The actor publishes an updated version of the extension containing obfuscated JavaScript code designed to execute upon extension activation.
- Execution: When a developer updates or installs the extension, the VS Code host process (
Code.exe) executes the malicious script within the extension's context. - Credential Theft: The script enumerates local storage files (specifically looking for GitHub and other OAuth tokens) and exfiltrates them to a command-and-control (C2) server.
- Persistence/Access: With stolen tokens, the attacker gains unauthorized access to the victim's GitHub repositories, CI/CD pipelines, and potentially cloud infrastructure.
Exploitation Status
- Status: Confirmed Active Exploitation. The breach was traced back to this extension, indicating successful data exfiltration in the wild.
- CVE: While specific CVEs are often assigned to the software vulnerability allowing the takeover, the malicious artifact itself acts as malware. There is no patch for the extension other than removing the malicious version.
Detection & Response
SIGMA Rules
YAML
---
title: Potential Malicious VS Code Extension Activity - Shell Spawn
id: 8c4e9f12-3d1a-4b5c-9e2d-1f3a4b5c6d7e
status: experimental
description: Detects Visual Studio Code spawning shell processes (cmd, powershell, bash), which is unusual behavior for legitimate extensions and may indicate malicious code execution like the Nx Console implant.
references:
- https://www.infosecurity-magazine.com/news/github-breach-nx-console-vs-code/
author: Security Arsenal
date: 2024/11/27
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Code.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate debugging or developer terminal usage (rare for extensions to spawn these silently)
level: high
---
title: Installation of Suspicious Nx Console Extension
id: 9d5f0a23-4e2b-5c6d-0f3e-2g4h5i6j7k8l
status: experimental
description: Detects the installation or update command for the specific Nx Console extension ID (nrwl.angular-console) which was recently compromised in a supply chain attack.
references:
- https://www.infosecurity-magazine.com/news/github-breach-nx-console-vs-code/
author: Security Arsenal
date: 2024/11/27
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Code.exe'
CommandLine|contains:
- '--install-extension'
- '--force'
CommandLine|contains:
- 'nrwl.angular-console'
condition: selection
falsepositives:
- Legitimate installation of Nx Console by a developer
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for VS Code spawning suspicious child processes (PowerShell/CMD)
// This detects the execution phase of the malicious extension.
DeviceProcessEvents
| where InitiatingProcessFileName == "Code.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "bash.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, SHA256
| order by Timestamp desc
// Hunt for network connections initiated by VS Code to non-Microsoft domains
// Malicious extensions often beacon out to C2 servers.
DeviceNetworkEvents
| where InitiatingProcessFileName == "Code.exe"
| where RemoteUrl !contains "microsoft"
and RemoteUrl !contains "github"
and RemoteUrl !contains "vscode"
and RemoteUrl !contains "azure"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemotePort, InitiatingProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for the presence of the Nx Console extension on disk
-- Check for the specific extension ID and recent modifications
SELECT FullPath, Mtime, Atime, Size
FROM glob(globs="/*/.vscode/extensions/nrwl.angular-console*/")
WHERE Mtime > timestamp("-7d") -- Flag extensions modified in the last 7 days
Remediation Script (PowerShell)
PowerShell
# Remediation Script for Malicious Nx Console Extension
# This script uninstalls the specific extension ID to ensure the malicious version is removed.
Write-Host "[+] Starting remediation for Nx Console extension..." -ForegroundColor Cyan
# Define the extension ID
$ExtensionID = "nrwl.angular-console"
# Attempt to uninstall the extension
Write-Host "[*] Attempting to uninstall extension: $ExtensionID" -ForegroundColor Yellow
try {
# Assuming 'code' is in the system PATH. If not, use full path.
$UninstallResult = & code --uninstall-extension $ExtensionID 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host "[SUCCESS] Extension $ExtensionID uninstalled successfully." -ForegroundColor Green
Write-Host $UninstallResult
} else {
Write-Host "[WARNING] Exit code $LASTEXITCODE. Extension may not be installed or 'code' command not found." -ForegroundColor Red
}
}
catch {
Write-Host "[ERROR] Failed to run uninstall command: $_" -ForegroundColor Red
}
Write-Host "[!] IMPORTANT: You must manually reinstall the extension from the Visual Studio Marketplace to ensure you have a clean, verified version." -ForegroundColor Magenta
Write-Host "[!] CRITICAL: Rotate your GitHub tokens and personal access tokens (PATs) immediately." -ForegroundColor Red
Remediation
1. Immediate Removal and Reinstallation The malicious version has been pulled from the marketplace, but existing installations remain dangerous.
- Action: Uninstall the
nrwl.angular-consoleextension immediately via the command line (code --uninstall-extension nrwl.angular-console) or the VS Code UI. - Action: Reinstall the extension directly from the Visual Studio Marketplace to ensure you have the latest, verified clean version.
2. Credential Rotation (Mandatory) The primary objective of this malware is credential theft.
- Action: Assume all GitHub tokens, SSH keys used in VS Code, and cloud access tokens (AWS/Azure/GCP) stored on the affected machine are compromised.
- Action: Revoke all GitHub Personal Access Tokens (PATs) and OAuth tokens associated with the affected accounts.
- Action: Rotate SSH keys.
3. Audit Source Code and Pipelines Since the attacker had access to developer tokens:
- Action: Audit GitHub commit logs for unauthorized pushes during the timeframe of the infection.
- Action: Review CI/CD pipeline logs (GitHub Actions, Jenkins, etc.) for unauthorized job executions.
4. Vendor Advisory Refer to the official advisory from Nx and Microsoft for the latest status and specific version numbers involved in the breach.
incident-responseransomwarebreach-responseforensicsdfirsupply-chainvscodenx-console
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.