SecurityHorrors

Stories you never want to feel on your own skin

vscode supply-chain malware extension credentials

Nx Console: One Stolen Token, One Poisoned Marketplace

Andras Bacsai's avatar
Andras Bacsai Tuesday, May 19, 2026
Nx Console: One Stolen Token, One Poisoned Marketplace

Source:

tldr: A contributor’s GitHub Personal Access Token was compromised, allowing attackers to publish a malicious version of the Nx Console VS Code extension (nrwl.angular-console) to the VS Code Marketplace. Version 18.95.0 is the affected release — all prior versions are safe, and OpenVSX was not affected.

Affected versions

  • Affected: nrwl.angular-console version 18.95.0 on the VS Code Marketplace.
  • Safe: All versions before 18.95.0 and OpenVSX is not affected

What to do

  • Check if you have nrwl.angular-console version 18.95.0 installed and remove or downgrade it immediately.
  • If you installed the affected version, treat your machine as potentially compromised — audit running processes and rotate credentials.
  • Review the StepSecurity writeup for full details on the attack chain.

Andras Bacsai's avatar
Andras Bacsai

Founder of coollabs.io | coolify.io | jean.build | serverlesshorrors.com | securityhorrors.com | llmhorrors.com | fonts.coollabs.io | ❤️ OSS & simplicity | 2 x dad, Entrepreneur.


Follow on Twitter

Suggest changes on GitHub