Alert: Compromised Nx Console 18.95.0 Stealing Dev Credentials
Hey everyone,
Just caught wind of a significant supply chain attack impacting the VS Code ecosystem. Researchers have flagged a malicious build of the Nx Console extension served directly from the official marketplace.
Specifically, version 18.95.0 of rwl.angular-console is compromised. With over 2.2 million installs, the blast radius here is massive. The payload acts as a credential stealer, designed to siphon off secrets from .env files and configuration files for AWS, Azure, and GitHub within the developer's workspace.
If you manage developer workstations, you need to audit this immediately. You can verify the installed version using the VS Code CLI:
code --list-extensions --show-versions | grep "rwl.angular-console"
If the output returns `18.95.0`, you must uninstall it immediately. I also recommend checking the extension directory manually to ensure no remnants persist:
ls ~/.vscode/extensions/ | grep rwl.angular-console
Assume total compromise for any machine running this version and rotate all exposed API keys and tokens.
Does anyone have the unpacked VSIX hash or the specific C2 domains yet? I'm trying to scope out network detection rules for our proxy.
Great post. I've already started hunting for this in our environment. If you are using Microsoft Sentinel, you can use this KQL query to find devices with the specific extension installed via logs or inventory data.
DeviceProcessEvents
| where ProcessVersionInfoInternalFileName =~ "Code.exe"
| where ProcessCommandLine contains "rwl.angular-console"
Also, check for any suspicious child processes spawned by the extension host, like unexpected PowerShell or Python scripts running from the AppData directory.
This is exactly why I enforce 'auto-update: false' via policy for all dev tools. Attackers are clearly targeting high-trust accounts. Just a heads-up: rwl.angular-console is the legacy namespace for Nx Console. The attackers likely compromised the publisher account to push a malicious update under the old name, betting on users not noticing the publisher change. Always verify the publisher is 'Nrwl' before installing.
We found it on three machines so far. I'm pushing a removal script via SCCM to all endpoints to be safe. For those who need to automate the uninstall silently without launching the UI, here is a quick PowerShell snippet:
$ext = "rwl.angular-console"
& "$env:LOCALAPPDATA\Programs\Microsoft VS Code\bin\code.cmd" --uninstall-extension $ext
Remember that rotating keys is the most critical step here; the malware likely phoned home already.
Solid advice on the SCCM rollout. For teams needing to verify Linux or macOS endpoints immediately without a full deployment agent, this Python snippet checks the local extension directory for the malicious package version.
import os,
ext_path = os.path.expanduser("~/.vscode/extensions")
for root, dirs, files in os.walk(ext_path):
if 'package.' in files:
with open(os.path.join(root, 'package.')) as f:
data = .load(f)
if data.get('name') == 'rwl.angular-console' and data.get('version') == '18.95.0':
print(f'[!] Compromised instance at: {root}')
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access