Postmortem: Nx Console v18.95.0 supply-chain compromise | Nx Blog

ContactTry Nx Cloud for Free

‹ Blog<br>Jack Hsu

May 21, 2026

Postmortem: Nx Console v18.95.0 supply-chain compromise

Status: All clear ✅.<br>The malicious version of Nx Console (v18.95.0) is no longer available from any marketplace.<br>The current published version, v18.100.5 , and all versions since v18.100.0 , are safe.<br>Anyone who installed v18.95.0 during the exposure window (2026-05-18, 12:30-13:09 UTC) should treat their machine as compromised and rotate credentials.<br>The compromise originated from a single contributor's developer machine, which resolved one malicious package (@tanstack/zod-adapter@1.166.15) during a routine pnpm install seven days earlier, part of the broader TanStack @tanstack/* supply-chain compromise of 2026-05-11.<br>The Nx CLI (nx npm package), all official @nx/* plugins, and Nx Cloud were not affected. This compromise was scoped entirely to the Nx Console VS Code extension.<br>GitHub Security Advisory: GHSA-c9j4-9m59-847w<br>Tracking issue: nrwl/nx-console#3139

TL;DR<br>On 2026-05-18 between 12:30 and 13:09 UTC, an attacker published a malicious Nx Console v18.95.0 to the Visual Studio Marketplace and the Open VSX registry. The Visual Studio Marketplace package was live ~11 minutes until we patched it, the Open VSX one approximately 36 minutes. The attacker published the malicious version as a legitimate Nx core contributor. A credential-stealing payload that arrived through the TanStack supply-chain compromise had silently exfiltrated that contributor's GitHub CLI OAuth token seven days earlier. Between credential theft on May 11 and the marketplace publish on May 18, the attacker was active in our GitHub repos for seven days without detection.<br>Visual Studio Marketplace reports 28 installs of v18.95.0. Open VSX reports 41 downloads from 21 unique client IPs. Our own internal analytics indicate the number of affected users may be significantly higher, and we are working with Microsoft to reconcile the figures. Out of caution, anyone who had Nx Console with auto-update enabled during the exposure window should assume compromise.<br>The publish pipeline gap that allowed it to happen is fixed, and we have extended the same hardening to our other publish-capable repos.<br>Impact<br>Versions affected<br>PackageAffected versionPatched versionNx Console (VS Code extension)18.95.0 exactly18.100.0No earlier or later versions are affected.<br>Install numbers<br>SourceNumberVisual Studio Marketplace install count (Microsoft telemetry)28Open VSX downloads in the 36-minute window41 (across 21 unique IPs)Nx internal extension-activation count from v18.95.0~6,000 (activations, not installs)The discrepancy between the install numbers and our internal activation counts is the subject of ongoing reconciliation with Microsoft. Our telemetry tracks extension activation, while Microsoft track installs, so it is expected to be larger. It is also possible that the installs don't include updates, but we are unsure at this point.<br>If you had Nx Console installed in VS Code with auto-update enabled at any point during the exposure window (2026-05-18 12:30-13:09 UTC), treat your machine as potentially compromised regardless of which number is accurate.<br>What the malware does<br>The payload in v18.95.0 ran on extension activation in VS Code (or any compatible fork). It:<br>Wrote persistence artifacts to disk:macOS: ~/Library/LaunchAgents/com.user.kitty-monitor.plist (LaunchAgent for reboot persistence)<br>~/.local/share/kitty/cat.py (Python harvester)<br>/var/tmp/.gh_update_state, /tmp/kitty-* (state and staging)<br>Linux: Attempted modification of /etc/sudoers for privilege persistence<br>Windows: We don't have evidence of persisted artifacts targetting Windows.

Harvested credentials from common locations:Vault : ~/.vault-token, /etc/vault/token, Kubernetes service-account tokens, AWS IAM auth tokens<br>npm : .npmrc tokens, OIDC token exchange<br>AWS : IMDS / ECS metadata service, Secrets Manager, SSM Parameter Store, Web Identity tokens<br>GitHub : ghp_/gho_/ghs_ tokens from ~/.config/gh/hosts.yml, ~/.git-credentials, environment variables, and process memory<br>1Password : contents of the op CLI session if one was active at execution time<br>Filesystem : SSH private keys, .env files, GCP application-default credentials, Docker config

Exfiltrated via HTTPS to attacker infrastructure, the GitHub API, and DNS-based covert channels<br>If you installed v18.95.0, treat anything reachable from your machine as exposed. Rotate every credential that was either on disk or could have been minted by op, gcloud, aws sts, or gh during the exposure window.<br>Timeline<br>All times UTC.<br>Pre-incident: How we lost the credential<br>TimeEvent2026-05-11 19:20-19:26An attacker publishes 84 malicious versions across 42 @tanstack/* npm packages by combining a pull_request_target "Pwn Request", GitHub Actions cache poisoning, and OIDC token extraction. Full details in the TanStack postmortem.2026-05-11 20:43:01A Nx contributor runs pnpm...