Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer — Ravie LakshmananMay 19, 2026Supply Chain Attack / Developer Security [h
What’s new: A compromised version of the Nx Console extension (version 18.95.0) for Visual Studio Code has been identified, which targets developers by executing a credential-stealing payload upon opening any workspace. The malicious extension was available on the VS Code Marketplace for a brief period on May 18, 2026, and has over 2.2 million installations. The attack exploits a developer’s compromised GitHub credentials to introduce the malware, which can harvest secrets from various services and install a backdoor on macOS systems.
Who’s affected
Developers using the Nx Console extension version 18.95.0 installed between May 18, 2026, at 2:36 p.m. CEST and 2:47 p.m. CEST are at risk. Affected users may have had their credentials compromised, and the extension has been downloaded over 2.2 million times.
What to do
- Update to Nx Console version 18.100.0 or later immediately.
- Check for the presence of files such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*.
- Look for running processes related to the malware, including a Python process running cat.py and any process with __DAEMONIZED=1 in its environment.
- Terminate any identified malicious processes, delete associated files, and rotate all credentials, including tokens, secrets, and SSH keys.
