Listen to this Post

Introduction:
The software supply chain, the backbone of modern development, has been shattered yet again. On May 18, 2026, threat actors executed a highly sophisticated and silent supply-chain attack, compromising version 18.95.0 of the Nx Console Visual Studio Code extension. With over 2.2 million installations worldwide, this malicious update exploited developer trust on a massive scale, silently exfiltrating credentials, cloud tokens, and installing persistent backdoors across thousands of machines. This incident, which lasted a mere 11 minutes before detection, serves as a critical wake-up call for the security of open-source tooling and the entire DevSecOps pipeline.
Learning Objectives:
- Analyze the infection chain and advanced techniques of the Nx Console supply-chain attack.
- Identify Indicators of Compromise (IOCs) across Windows, Linux, and macOS development environments.
- Implement detection and incident response procedures to contain and remediate compromised developer workstations.
- Apply hardened best practices for VS Code extension management and CI/CD pipeline security to prevent future supply-chain breaches.
You Should Know:
1. The Anatomy of the 11-Minute Hijack
The attack was a multi-stage masterpiece of stealth and speed, leveraging stolen credentials and GitHub’s own infrastructure. It began when a contributor’s GitHub Personal Access Token (PAT) was stolen during a separate, undisclosed security incident. Using this token, the attacker pushed a “dangling orphan commit” (hash 558b09d7) to the official `nrwl/nx` GitHub repository. This commit had no parent links, making it invisible to standard code reviews and branch listings.
At 12:36 UTC on May 18, the attacker used stolen VS Code Marketplace publishing credentials (VSCE_PAT) to push version 18.95.0 of the `nrwl.angular-console` extension. This version was published directly outside the project’s normal CI/CD pipeline and lacked a corresponding GitHub release. Within seconds of a developer opening any workspace, the compromised extension fetched and executed a 498 KB obfuscated JavaScript payload from that hidden commit. The payload used the Bun JavaScript runtime to execute in the background, bypassing standard process detection.
🔐 Step-by-Step: How to Detect & Respond to the Compromise
Step 1: Verify the Compromised Version (All Platforms)
Check your currently installed version of the Nx Console extension in VS Code or Cursor.
In VS Code: Go to Extensions (Ctrl+Shift+X), search for Nx Console, and check the version.
Using Command Line (Linux/macOS/Windows PowerShell): Scan the extension directories for the malicious version.
Linux/macOS: Check for the specific malicious commit reference grep -r "558b09d7" ~/.vscode/extensions/ Windows (PowerShell): Search inside extension folders Get-ChildItem -Path "$env:USERPROFILE.vscode\extensions\" -Recurse | Select-String "558b09d7"
If found, you are compromised.
Step 2: Terminate Malicious Processes (All Platforms)
The payload launches detached background processes. Immediately locate and kill them.
Linux/macOS: Use `ps aux` and `pkill`.
Identify malicious processes ps aux | grep -E "cat.py|__DAEMONIZED=1" Terminate them pkill -f cat.py pkill -f "__DAEMONIZED=1"
Windows: Use Task Manager (`Ctrl+Shift+Esc`) or PowerShell.
Get-Process | Where-Object {$<em>.ProcessName -like "python" -or $</em>.Path -like "kitty"}
Stop-Process -Name "python" -Force Be cautious, refine as needed
Step 3: Delete Malicious Artifacts
Remove all files dropped by the payload to destroy persistence.
Linux: Delete the Python backdoor script and related temporary data.
rm -rf ~/.local/share/kitty/cat.py rm -rf /var/tmp/.gh_update_state rm -rf /tmp/kitty-
macOS: Remove the launch agent and its associated files.
rm -rf ~/.local/share/kitty/cat.py rm -rf ~/Library/LaunchAgents/com.user.kitty-monitor.plist launchctl remove com.user.kitty-monitor.plist rm -rf /var/tmp/.gh_update_state rm -rf /tmp/kitty-
Windows: Check `%TEMP%` and `%APPDATA%` for any unknown `.py` or `.plist` files, especially those named `kitty` or cat.py.
Step 4: Mass Credential Rotation (THE MOST CRITICAL STEP)
Assume all secrets on the compromised machine are leaked. This is a non-negotiable, zero-trust requirement. Immediately rotate the following from a clean, uncompromised machine:
GitHub: Personal Access Tokens (PATs), SSH keys.
Cloud Providers: AWS, GCP, Azure keys and secrets.
Package Managers: npm tokens, PyPI API keys.
Secret Stores: HashiCorp Vault tokens, 1Password session tokens.
CI/CD: GitHub Actions secrets, Jenkins API tokens.
AI Tools: Anthropic Claude Code configurations and API keys.
Step 5: Update to a Clean Version & Harden Extension Management
Immediately update Nx Console to version `18.100.0` or later from the official VS Code Marketplace.
Implement a centralized allowlist for extensions using enterprise policies in VS Code to prevent unauthorized installations.
Use tools like `VSX-Bastion` to install and validate extensions with YAML configurations, adding a layer of security scanning before installation.
2. The Advanced Tooling and Persistent Threats
This attack was not merely a credential harvester; it was a forward-deployed persistent threat arsenal. The payload demonstrated unparalleled sophistication for a VS Code extension breach. It actively targeted GitHub Actions runner memory, scraping live session data to escalate privileges. On Linux, it probed for passwordless sudo access and injected malicious `sudoers` rules to establish lasting root-level control. The payload also included fully functional Sigstore attestation logic, which could steal npm OIDC tokens to forge valid SLSA provenance attestations, allowing the attacker to publish downstream malicious npm packages that would pass standard signature verification checks.
🛡️ Step-by-Step: Advanced Hardening & Infrastructure Defense
Step 1: Audit for Sigstore-Forged Packages
The attacker’s ultimate goal is supply-chain poisoning. You must audit your internal and external dependencies.
For npm, check a package's provenance signatures npm audit signatures Verify a specific package's attestation against your own trusted keys npm attestation verify <package-name> --registry=https://registry.npmjs.org
If an internal package has a valid Sigstore attestation from a time period after the attack but you do not have a record of a legitimate build, treat it as compromised.
Step 2: Implement Mandatory Pre-Publish Security Checks for Internal Extensions
Treat your internal VS Code extensions with the same rigor as external dependencies.
Enforce Pre-Publish Scans: Integrate automated scanning tools into your CI/CD to de-obfuscate and statically analyze extension code for patterns of data exfiltration, `child_process` execution, or hidden network calls.
Require Code Signing: Mandate GPG or similar code signing for all internal extension releases and verify signatures before installation.
Adopt Two-Person Approval: The Nx team has already hardened their pipeline to require admin approval for any release. Implement a similar “two-man rule” or multi-factor approval for all publishing workflows using tools like `vsce` with GitHub Environments.
Step 3: Deploy Real-Time Extension Anomaly Detection
Proactive detection of malicious extensions is critical.
Windows (PowerShell): Use the `Get-WinEvent` cmdlet to monitor for suspicious processes launched from VS Code extension directories.
Monitor for new process creation events (Event ID 4688)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -like ".vscode\extensions"}
Linux/macOS: Use `auditd` (Linux) or `log stream` (macOS) to watch for `child_process` executions originating from the `~/.vscode/extensions/` path.
Linux (requires auditd) auditctl -w ~/.vscode/extensions/ -p x -k vscode_ext_exec ausearch -k vscode_ext_exec
Use Community Tools: Leverage community-driven detection tools like `glassworm-detect` (bash) to automatically scan for known malicious extension versions and their IOCs.
3. The AI-Enabled Threat Vector
The Nx Console breach also exposed the rising threat of AI-assisted development. The payload specifically targeted secrets from Anthropic Claude Code configurations, a tool used by developers to delegate coding tasks to an AI agent. This demonstrates a new frontier: by compromising a developer’s AI assistant settings, an attacker can inject malicious logic directly into the code generated by the AI, creating a self-propagating cycle of compromised “smart” code. Furthermore, attackers could use AI-driven recommendations to social engineer developers into installing a malicious extension with a convincing name, making the initial infection vector even more frictionless.
Step-by-Step: Securing Your AI-Powered Development Pipeline
Isolate AI Tools: Run AI coding assistants and their associated credentials in dedicated, less-privileged environments or containers.
Treat AI Recommendations as Unverified Input: Never automatically execute code or install extensions suggested by an AI. Always verify through trusted channels and code reviews.
Rotate AI API Keys Regularly: Apply the same credential hygiene to AI platform keys as you would to any other cloud secret.
What Undercode Say:
- Key Takeaway 1: The software supply chain is now the primary vector for mass compromise. Attacks are shifting from targeting application dependencies to directly compromising the developer’s most trusted tools: their code editors and IDEs.
- Key Takeaway 2: Static defense is obsolete. The speed of this attack (a mere 11-minute window) and its use of invisible infrastructure (orphan commits) means that detection must be automated, real-time, and behavioral, not just signature-based. The “blast radius” of a single compromised developer machine now includes your entire cloud infrastructure and every project they’ve ever touched.
Prediction:
The Nx Console supply-chain attack signals the beginning of a new era of “IDE-native” malware. Future attacks will not merely steal credentials but will leverage the extensive permissions of VS Code and similar editors to actively rewrite source code in real-time, implanting logic bombs that propagate undetected through CI/CD pipelines. We will see a rise in “compiler worms” and “AI-supply-chain parasites” that use AI agent configurations as a covert command-and-control channel. The only robust defense will be a paradigm shift toward zero-trust for the entire developer toolchain, where every extension, every AI suggestion, and every line of code is continuously validated for integrity.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Popular – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


