Nx Console VS Code Extension Compromise

Executive Summary

On May 18, 2026, a highly critical supply chain attack targeted the Nx Console VS Code extension, leading to a major security breach that resulted in the exfiltration of approximately 3,800 internal GitHub repositories GitHub Security Advisory. The threat actor group TeamPCP (also tracked as UNC6780) leveraged a GitHub CLI OAuth token stolen seven days earlier (via the TanStack supply-chain compromise) from an Nx contributor StepSecurity. By exploiting this developer’s push credentials, the attackers bypassed registry guardrails to publish a malicious version of the extension (v18.95.0) to the Visual Studio Marketplace and the Open VSX registry Nx Advisory. The extension remained active for 18 minutes on the VS Code Marketplace and 36 minutes on Open VSX. When installed and loaded inside a workspace, the extension executed an obfuscated Python backdoor (cat.py) that harvested developer credentials and established persistent access, compromising developer machines globally—including a critical endpoint owned by a GitHub employee Infosecurity Magazine.

Key Facts

threat_type: compromised developer tool, credential theft, token exfiltration, poisoned release
ecosystem: vs-code-extension-marketplace, open-vsx
registry: Visual Studio Marketplace, Open VSX
affected_packages:
  - "Nx Console"
malicious_versions:
  - "18.95.0"
fixed_versions:
  - "18.100.0"
  - "18.100.5"
safe_versions:
  - "v18.100.0 and later"
exposure_window: 2026-05-18T12:30:00Z to 2026-05-18T13:09:00Z (39 minutes total; 18 minutes on VS Code Marketplace)
execution_trigger: Workspace load-time execution (extension activation)
primary_impact: Exfiltration of high-value developer credentials (GitHub tokens, SSH keys, AWS secrets) and mass repository code theft
known_iocs:
  - "cat.py"
  - "com.user.kitty-monitor.plist"
  - "sfrclak[.]com"
confidence: high
canonical_source: https://nx.dev

Source Confidence & Evidence Mapping

• confirmed: Compromise of Nx Console extension v18.95.0 via a hijacked contributor credentials vector, active for a limited time on public registries. Nx Advisory
• confirmed: Exfiltration of approximately 3,800 internal repositories from GitHub’s internal environment following the compromise of an employee’s development endpoint. GitHub Security Advisory
• likely: Direct link to the TanStack @tanstack/zod-adapter compromise on May 11, 2026, which provided the attacker with the initial gh CLI OAuth token of the Nx developer. StepSecurity Analysis
• unclear: The absolute count of non-GitHub development organizations whose workstations auto-updated to the poisoned extension during the active exposure window.

Timeline

• 2026-05-11T19:26:00Z Nx contributor’s development workstation is infected with the Mini Shai-Hulud worm via a poisoned @tanstack/* dependency update. Source: StepSecurity
• 2026-05-11T19:40:00Z Mini Shai-Hulud malware harvests the contributor’s GitHub CLI OAuth token and exfiltrates it to C2. Source: StepSecurity
• 2026-05-18T12:30:00Z Attackers use the stolen OAuth token to log in and publish backdoored Nx Console v18.95.0 to the VS Code Marketplace and Open VSX. Source: Nx Advisory
• 2026-05-18T12:45:00Z Nx team receives immediate reports of anomalies and verifies the unauthorized release. Source: Nx Advisory
• 2026-05-18T12:48:00Z VS Code Marketplace removes the malicious v18.95.0 release (18-minute exposure). Source: Nx Advisory
• 2026-05-18T13:09:00Z Open VSX registry removes the malicious v18.95.0 release (39-minute exposure). Source: Nx Advisory
• 2026-05-18T13:15:00Z Nx team publishes clean, hardened updates (v18.100.0) and triggers forced downstream updates. Source: Nx Advisory
• 2026-05-18T15:00:00Z Official security advisory is published under tracking ID GHSA-c9j4-9m59-847w. Source: GHSA Database
• 2026-05-19T09:00:00Z GitHub confirms internal source code repository exfiltration stemming from an employee’s compromised endpoint. Source: GitHub Security Advisory

What Happened

On May 18, 2026, the TeamPCP threat group executed a direct attack against developer workstations by poisoning the popular Nx Console VS Code extension Ox Security. Utilizing a GitHub CLI OAuth token harvested during the earlier TanStack incident, the attackers gained administrative push permissions to the extension’s publishing account StepSecurity. They published version v18.95.0, which contained an obfuscated payload loader embedded inside a dangling release commit Nx Advisory. Despite being revoked from marketplaces within 18 to 36 minutes, the poisoned extension was pulled by auto-updating VS Code instances, including one belonging to a GitHub engineer Infosecurity Magazine. The backdoor instantly activated, harvested active session tokens, and allowed the threat group to steal approximately 3,800 internal GitHub repository codebases GitHub Security Advisory.

Technical Analysis

Initial Access

Initial access was gained using the stolen GitHub CLI (gh) OAuth token of a legitimate Nx contributor. This token had been exfiltrated seven days prior on May 11, 2026, when the contributor installed a poisoned @tanstack/* package. The threat actor used this persistent session to authenticated to the Visual Studio Marketplace and Open VSX, uploading the malicious extension package.

Package or Artifact Manipulation

The attackers packaged and published a rogue extension tarball (.vsix) containing a malicious Python script (cat.py) hidden in the assets. They altered the extension’s entry file to ensure that as soon as the VS Code IDE activated the extension (which occurs automatically upon opening a workspace folder containing an Nx project), the payload was triggered.

Execution Trigger

The malware executed at IDE activation time. VS Code extensions have a lifecycle hook (activate()) defined in their main script. The poisoned version 18.95.0 spawned a background shell process to execute the hidden Python script (cat.py) without displaying any indicators or terminal windows to the user.

Payload Behavior

Once executed, the Python backdoor (cat.py) initiated a multi-stage compromise:

• Credential Theft: It scraped developer configurations, harvesting SSH keys, AWS access profiles, HashiCorp Vault tokens, 1Password CLI session logs, and .git-credentials entries.
• Persistence: It planted an persistent LaunchAgent on macOS (~/Library/LaunchAgents/com.user.kitty-monitor.plist) that regularly monitored and executed the ~/.local/share/kitty/cat.py script.
• Process Evasion: It ran as a daemonized Python process, utilizing the environment variable __DAEMONIZED=1 to masquerade as system maintenance scripting.
• Worm Detection / Dead Man’s Switch: The backdoor monitored the validity of the compromised host’s primary tokens. If a token revocation was detected (suggesting discovery by security teams), the script was capable of executing a target-wipe command.

Exfiltration / C2

domains:
  - "sfrclak[.]com"
ips: []
urls:
  - "hxxps://sfrclak[.]com/api/v1/beacon"
protocols:
  - "https"
endpoints:
  - "/api/v1/beacon"
  - "/payloads/"
confidence: high

The backdoor established a beaconing connection to sfrclak[.]com over HTTPS, exfiltrating the harvested credentials. During the GitHub employee compromise, the attackers leveraged these exfiltrated credentials to access internal servers and clone thousands of proprietary repositories.

Propagation

The malware did not contain lateral network propagation scripts, instead relying on the collected authentication tokens to manually pivot to downstream SaaS systems (such as GitHub, npm, and AWS registries) to continue publishing malicious packages or harvesting code.

Obfuscation or Evasion

The payload file cat.py was lightly obfuscated using variable renaming and base64-encoded command execution. Evasion was primarily achieved by masquerading as terminal/shell configurations associated with the “Kitty” terminal emulator, exploiting common path exceptions like ~/.local/share/kitty/.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "vs-code-extension-marketplace"
    - "open-vsx"
  packages:
    - "Nx Console"
  versions:
    - "18.95.0"
  repositories:
    - "github.com/nrwl/nx-console"
  container_images: []
  CI_CD_systems: []
  developer_tools:
    - "VS Code IDE"
  environments:
    - developer workstations
    - corporate endpoints

credentials_at_risk:
  - GitHub tokens
  - SSH keys
  - AWS/GCP secrets
  - Vault configurations
  - 1Password master keys

not_currently_known_to_affect:
  - CI runners and build pipelines (unless they run interactive VS Code sessions).

Indicators of Compromise

domains:
  - value: sfrclak[.]com
    source: https://nx.dev
    confidence: high
ips: []
urls:
  - value: hxxps://sfrclak[.]com/api/v1/beacon
    source: https://nx.dev
    confidence: high
hashes: []
files:
  - value: ~/.local/share/kitty/cat.py
    source: https://nx.dev
    confidence: high
  - value: ~/Library/LaunchAgents/com.user.kitty-monitor.plist
    source: https://nx.dev
    confidence: high
  - value: /var/tmp/.gh_update_state
    source: https://nx.dev
    confidence: high
package_versions:
  - value: Nx Console v18.95.0
    source: https://nx.dev
    confidence: high

Detection and Hunting

hunt_queries:
  dependency_lockfiles: []
  files:
    - "~/.local/share/kitty/cat.py"
    - "~/Library/LaunchAgents/com.user.kitty-monitor.plist"
    - "/var/tmp/.gh_update_state"
  network:
    - "sfrclak[.]com"
  ci_cd_checks: []
  endpoint_checks:
    - "Identify Python processes running with the environment variable __DAEMONIZED=1."
    - "Scan ~/.vscode/extensions for the presence of the nrwl.angular-console-18.95.0 directory."

Remediation Workflow

• Immediate: Isolate the development endpoint. Do not immediately revoke GitHub tokens or cloud credentials from the command line while the machine is connected, as this may trigger the payload’s dead man’s switch.
• Short-term: Terminate the rogue daemonized Python processes running cat.py. Manually delete the persistent files: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, and /var/tmp/.gh_update_state. Uninstall the 18.95.0 version of the extension from VS Code.
• Long-term: Once the system is verified clean, perform a comprehensive rotation of all credentials that were present on the host, including all GitHub PATs, SSH keys, cloud provider secrets, and password manager master keys.

Defensive Lessons

• prevent: Require multi-administrator approval and multi-factor authentication (MFA) for VS Code extension registry updates. Disable automatic updates for critical developer IDE extensions in corporate or high-security environments.
• detect: Monitor developer workstations for anomalous outbound network connections from IDE processes (such as code or code-helper) to unclassified domains.
• respond: Prepare automated endpoints isolation playbooks that allow security responders to immediately quarantine developer workstations without triggering local scripting.

Open Questions

• Were any other major enterprise environments compromised via the auto-update mechanism of the Nx Console extension besides GitHub?
• What specific internal codebase assets were exfiltrated from GitHub’s internal systems during the breach?

Sources

1. Nx Official Incident Postmortem. Role: DIRECT_SOURCE Impact: Detailed timing, exposure window, compromised contributor information, and cleanup instructions.
2. GHSA-c9j4-9m59-847w Advisory Record. Role: DIRECT_SOURCE Impact: Vulnerability details and affected extension version mapping.
3. StepSecurity Nx Console Compromise Analysis. Role: PRIMARY_RESEARCH Impact: Analysis of the connection between the TanStack and Nx incidents and token theft.
4. Ox Security Threat Report on VS Code Supply Chains. Role: PRIMARY_RESEARCH Impact: Technical details on IDE extension vector manipulation and credential theft scripting.
5. Infosecurity Magazine Incident Report. Role: SECONDARY_ANALYSIS Impact: Documentation of the downstream GitHub repository exfiltration breach.