Malicious Nx Console Extension Targets VS Code Users: Credential Theft Alert

Overview

Cybersecurity researchers have uncovered a dangerous version of the popular Nx Console extension on the Microsoft Visual Studio Code (VS Code) Marketplace. The compromised release, designated as version 18.95.0 and identified by the package ID rwl.angular-console, was found to contain hidden credential-stealing code. This incident puts over 2.2 million users of the extension at risk, as the malicious extension was available for download to developers using VS Code, Cursor, and JetBrains IDEs.

Details of the Compromise

The official Nx Console extension is a widely adopted toolkit that provides a graphical interface for managing Nx workspaces, streamlining tasks such as building, testing, and code generation. However, the rogue version 18.95.0 deviated sharply from its legitimate purpose. According to the researchers who flagged the issue, the extension was tampered with to include a credential stealer designed to harvest sensitive data from affected systems.

The malicious code operated by injecting a background script that intercepted authentication tokens, stored passwords, and other confidential information from the developer's environment. This data was then exfiltrated to a remote server controlled by the attackers. The exact method of compromise remains under investigation, but it is suspected that the attacker either gained access to the publisher's account or manipulated the update pipeline for the extension.

Notably, the extension had been previously published under a different publisher name (rwl.angular-console), which may have confused users seeking the official Nx Console from Nrwl. The official extension is published by Nrwl and is well-known, but the malicious copy capitalized on a similar naming convention to trick developers.

Impact on Developers and Organizations

Developers using the compromised extension in their VS Code, Cursor, or JetBrains environments could have inadvertently exposed their credentials to attackers. This includes access keys for cloud services, API tokens, and even personal access tokens stored in configuration files or environment variables. For organizations, this could lead to a breach of internal tools, source code repositories, or continuous integration pipelines—posing a severe security threat.

The wide installation base (2.2 million) amplifies the potential damage. Even if only a fraction of those installations were on machines containing high-value credentials, the impact could be catastrophic. The attackers could use the stolen credentials to pivot to other systems, deploy ransomware, or steal intellectual property.

Response and Remediation

Upon discovery, the researchers immediately reported the malicious extension to Microsoft. The VS Code Marketplace team removed version 18.95.0 from distribution. However, users who had already installed the compromised version need to take action. If you installed Nx Console around the time version 18.95.0 was available, proceed with the following steps:

• Remove the extension immediately: Go to the Extensions panel, locate rwl.angular-console or any suspicious entry, and uninstall it.
• Rotate all credentials: Change passwords, API tokens, and access keys that might have been exposed on the affected machine.
• Run a security scan: Use antivirus or endpoint detection tools to check for any residual malware.
• Monitor for unusual activity: Look for unauthorized access attempts or data exfiltration from your accounts and services.
• Reinstall the official extension: After cleaning, install the legitimate Nx Console from Nrwl (publisher ID: nrwl) from the VS Code Marketplace to continue your work safely.

Microsoft also recommends enabling automatic security scanning for extensions and reporting suspicious ones via the marketplace reporting channel.

How to Avoid Similar Threats

This incident serves as a stark reminder to always verify the publisher of an extension before installation. Check the publisher name, review the number of installations, and read recent user feedback. Additionally, consider these best practices:

1. Use only official sources: Stick to well-known publishers and extensions with a long history of updates.
2. Keep extensions updated, but monitor for unexpected updates that introduce new permissions or behavior.
3. Limit extension permissions: Refuse extensions that request overly broad access to your files or network.
4. Regularly audit installed extensions: Remove any that are no longer needed or appear suspicious.

For more information on securing your development environment, refer to our guide on how to verify extension authenticity and the official VS Code security documentation.

Conclusion

The discovery of the compromised Nx Console extension underscores the evolving threats in the software supply chain. While the immediate danger has been mitigated by removing the malicious version, developers must remain vigilant. By taking proactive steps—such as rotating credentials and adopting stricter extension policies—you can protect your projects and personal data from similar attacks in the future. Stay updated on the latest security advisories from the VS Code Marketplace and the Nx community.