Compromised Nx Console Extension Targets 2.2M VS Code Developers with Credential Stealer
A compromised version of the popular Nx Console extension for Visual Studio Code has been discovered stealing developer credentials, affecting more than 2.2 million installations in what security researchers are calling a significant supply chain attack on the developer community.
According to The Hacker News, cybersecurity researchers have identified version 18.95.0 of the rwl.angular.console package as containing malicious code designed to harvest sensitive credentials from affected developers' systems. The extension, which serves as a user interface and plugin for code editors including VS Code, Cursor, and JetBrains IDEs, had accumulated substantial trust within the development community before the compromise was detected.
The attack represents a concerning example of supply chain infiltration targeting software development tooling. By compromising a widely-used extension, attackers gained potential access to developer environments where sensitive credentials, API keys, and authentication tokens are routinely stored and used.
Technical Impact and Risks
The credential-stealing payload embedded in the malicious version poses particular risks to development teams and organizations. Developer workstations often contain elevated access privileges, including CI/CD pipeline credentials, cloud provider API keys, and repository access tokens. Compromise of these credentials could enable attackers to infiltrate build systems, deploy malicious code, or access production environments.
Security implications extend beyond individual developers to entire organizations. A single compromised developer workstation could provide attackers with a foothold into corporate networks and development infrastructure, potentially enabling lateral movement and broader system compromise.
Supply Chain Attack Mechanics
This incident highlights the persistent vulnerability of software supply chains, particularly in open-source and extension ecosystems. Attackers increasingly target popular development tools because they offer direct access to valuable credentials and provide a trusted vector for malware distribution.
The compromise of rwl.angular.console version 18.95.0 suggests attackers may have gained access to the legitimate publishing pipeline or successfully impersonated the package maintainers. The extension's substantial installation base—exceeding 2.2 million downloads—made it an attractive target for credential harvesting operations.
Community Response and Mitigation
The malicious version has reportedly been removed from the VS Code Marketplace, though the exact timeline of publication and removal remains unclear. Developers who installed version 18.95.0 of the Nx Console extension are advised to immediately rotate any credentials that may have been exposed and scan their systems for indicators of compromise.
Organizations should consider implementing extension allowlisting policies and monitoring development environments for unauthorized or suspicious extensions. Regular auditing of installed extensions and their versions can help detect similar compromises before significant damage occurs.
Limitations and Ongoing Investigation
Specific technical indicators of compromise, including package hashes, exact publisher identification details, and precise publication and removal timestamps, have not been made publicly available in the initial reporting. This limitation complicates detection and response efforts for security teams seeking to identify affected systems.
The exact publisher ID of the compromised package versus the legitimate Nx Console publisher remains unconfirmed, as does the method by which attackers gained the ability to publish the malicious version. These details are critical for understanding the full scope of the compromise and preventing similar incidents.
Broader Implications for Developer Security
This incident underscores the importance of supply chain security in development tooling. As developers increasingly rely on third-party extensions and packages to enhance productivity, the attack surface for credential theft and system compromise expands accordingly.
Security teams should prioritize extension inventory management, implement version pinning where possible, and maintain awareness of security advisories affecting development tooling. The developer community must balance convenience and functionality with security considerations when selecting and updating extensions.
The compromise of a tool with over 2.2 million installations highlights the risks facing the development ecosystem from supply chain attacks. Vigilance, rapid response, and comprehensive credential management remain essential defenses against these threats.
遭駲嘅 Nx Console 擴充功能瞄準 220 萬 VS Code 開發者,內藏竊取密碼嘅惡意程式
安全研究人員發現,Visual Studio Code 嘅熱門擴充功能 Nx Console 有一個版本遭人駲入,而家正喺度偷取開發者嘅密碼同認證資料。呢個事件影響咗超過 220 萬個安裝,保安專家話係針對開發者社群嘅一次重大供應鏈攻擊。
據 The Hacker News 報道,保安研究人員已經確認 rwl.angular.console 套件嘅 18.95.0 版本內藏惡意程式,專門用嚟從受影響開發者嘅系統度竊取敏感認證資料。呢個擴充功能原本係為咗畀 VS Code、Cursor 同 JetBrains IDE 等編碼工具做介面同插件用,喺被發現遭駲之前,已經喺開發者社群累積咗好大嘅信任度。
呢次攻擊正正係針對軟件開發工具嘅供應鏈滲透一個令人擔憂嘅例子。攻擊者透過駲入一個廣泛使用嘅擴充功能,有機會直接接觸到開發者嘅工作環境,而家啲敏感密碼、API 金鑰同認證令牌通常都係喺度儲存同使用。
技術影響同風險
惡意版本入面嵌入嘅取證程式,對開發團隊同企業嚟講特別危險。開發者嘅工作電腦通常都有較高嘅存取權限,包括 CI/CD 流水線嘅認證資料、雲端供應商嘅 API 金鑰同倉庫存取令牌。一旦啲密碼被駲,攻擊者就可以滲透進構建系統、部署惡意程式,或者直接存取生產環境。
保安影響唔止係針對個別開發者,仲會擴散到整間公司。只要有一台開發者嘅電腦被駲,攻擊者就可以借此打入企業網絡同開發基礎設施,甚至有機會向其他系統橫向移動,令更多設備受影響。
供應鏈攻擊手法
呢個事件凸顯咗軟件供應鏈一直以來嘅弱點,尤其係開源同擴充功能生態系統。而家攻擊者越嚟越鍾意瞄準熱門嘅開發工具,因為佢哋可以直接接觸到寶貴嘅認證資料,同時又可以利用開發者嘅信任來散播惡意程式。
rwl.angular.console 18.95.0 版本遭人駲,顯示攻擊者可能已經搵到合法發布管道嘅入口,或者成功假冒咗套件嘅維護者。呢個擴充功能嘅安裝量高達超過 220 萬次下載,自然成為竊取密碼嘅理想目標。
社群反應同應對措施
據報呢個惡意版本已經從 VS Code Marketplace 下架,不過具體嘅上架同下架時間仲未清楚。安裝咗 Nx Console 擴充功能 18.95.0 版本嘅開發者,建議即刻更換所有可能被洩露嘅密碼,並掃描自己嘅系統檢查有冇受感染嘅跡象。
企業應該考慮實施擴充功能白名單政策,並密切監控開發環境有冇未經授權或者可疑嘅插件。定期檢查已安裝嘅擴充功能同版本,可以幫手喺造成大禍之前,早啲發現類似嘅入侵事件。
限制同持續調查
初步報道仲未公開具體嘅技術受感染指標,例如套件嘅雜湊值、出版商嘅詳細識別資料,同精確嘅上架下架時間戳。呢個限制令保安團隊喺識別受影響系統同應對方面變得更加困難。
遭人駲套件嘅出版商 ID 同原本合法嘅 Nx Console 出版商 ID 係咪同一個,仲未得到確認。攻擊者係點樣搵到發布惡意版本嘅權限,亦都未清楚。呢啲細節對於了解事件嘅完整範圍同防止類似事件再發生至關重要。
對開發者保安嘅深遠影響
呢個事件再次強調咗開發工具供應鏈保安嘅重要性。而家開發者越嚟越依賴第三方擴充功能同套件嚟提升工作效率,相對地,密碼被偷同系統被駲嘅攻擊面亦都隨之擴大。
保安團隊應該優先管理擴充功能嘅庫存,盡可能實施版本鎖定,並密切留意影響開發工具嘅保安通告。開發者社群喺揀選同更新擴充功能嘅時候,一定要喺方便實用同保安考量之間取得平衡。
一個安裝量超過 220 萬嘅工具遭人駲,正正點出咗開發生態系統喺供應鏈攻擊下面臨嘅風險。保持警覺、快速應對同全面管理密碼,依然係抵禦呢類威脅嘅必要防線。