# Credential-Stealing Supply-Chain Attack Hits Popular VS Code Extension *Tuesday, May 19, 2026 at 8:04 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-19T08:04:34.565Z (4h ago) **Category**: cyber | **Region**: Global **Importance**: 8/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/4527.md **Source**: https://hamerintel.com/summaries --- **Deck**: On 19 May, security researchers reported that version 18.95.0 of the Nx Console VS Code extension, with over 2.2 million installs, had been compromised to run a credential-stealing payload. By around 07:51 UTC, users were urged to update to version 18.100.0 and rotate exposed secrets. ## Key Takeaways - Version 18.95.0 of the widely used Nx Console VS Code extension was compromised to execute a credential-stealing payload. - The extension has more than 2.2 million installs, making this a high-impact supply-chain incident. - Security guidance as of 07:51 UTC on 19 May 2026 advises users to update to version 18.100.0 and rotate any reachable credentials. - Stolen data could include API keys, tokens, and other secrets accessible from affected developer environments. - The incident underscores the growing security risks in software development toolchains and ecosystems. On 19 May 2026, around 07:51 UTC, cybersecurity reports emerged detailing a serious compromise of the Nx Console extension for Visual Studio Code, a popular tool in the JavaScript and TypeScript development ecosystem. Version 18.95.0 of the extension was found to contain a malicious payload designed to steal credentials when users opened workspaces, effectively turning a trusted development tool into a vector for supply-chain intrusion. Nx Console is widely used by developers working with monorepos and modern web frameworks, and the extension has accumulated more than 2.2 million installations. The compromised version thus represents a potentially large attack surface spanning individual developers, startups, and large enterprises. According to the initial analysis, the malicious code executed automatically in the context of the developer’s environment, with the potential to harvest environment variables, authentication tokens, and other sensitive data present in open projects. The incident fits a broader pattern of attacks targeting the software development lifecycle, where adversaries inject malicious code into widely used packages, plugins, or tools. Such supply-chain attacks are attractive because they provide scalable access to multiple organizations and systems while leveraging existing trust relationships. In this case, compromising a VS Code extension allowed the attackers to bypass perimeter defenses and operate directly within integrated development environments. Key actors include the Nx Console maintainers, the Visual Studio Code marketplace operators, affected organizations’ security teams, and the unidentified attackers behind the credential-stealing payload. Incident responders and threat intelligence analysts are now working to reverse-engineer the malicious version, determine the full scope of collected data, and understand how the compromise was introduced—whether through stolen maintainer credentials, insider threat, or tampering in a supporting dependency. The compromise has significant implications. Stolen credentials from development environments can be used to access code repositories, cloud infrastructures, CI/CD pipelines, and production systems. This creates opportunities for further supply-chain attacks, data theft, ransomware deployment, or disruptive operations. Because developer environments often contain privileged tokens and keys, the potential downstream impact can be disproportionate to the initial compromise. As of the morning of 19 May, guidance recommends that all users immediately update Nx Console to version 18.100.0, which is believed to be clean, and rotate any secrets that may have been accessible to the affected environment—particularly cloud provider keys, Git access tokens, and credentials stored in environment variables or configuration files. Organizations are also advised to audit logs for suspicious authentication attempts and repository access patterns originating after the installation of version 18.95.0. ## Outlook & Way Forward In the short term, the priority for organizations is triage and containment: identifying machines that installed the compromised version, updating or removing the extension, and rotating all potentially exposed credentials. Security teams should deploy detection rules for known indicators of compromise linked to the malicious payload and monitor for unusual behavior in cloud and code-hosting platforms. Communication with developers is essential to ensure rapid action and to prevent further spread. Over the medium term, this incident will likely accelerate efforts to harden software supply chains and development environments. Measures may include stricter verification of marketplace extensions, adoption of signed and reproducible builds, and implementation of zero-trust principles inside developer tooling. Organizations may also move toward centrally managed extension policies, limiting which tools can be installed on corporate systems and enforcing integrity checks. From an intelligence and strategic perspective, analysts will be watching to see whether this compromise can be linked to known threat groups, particularly those with histories of targeting software supply chains. Confirmation of state-linked involvement would elevate the incident from a criminal operation to a geopolitical concern, prompting regulatory scrutiny and possibly new standards for securing developer ecosystems. Regardless of attribution, the event reinforces the need for continuous monitoring and risk assessment of even seemingly benign components in the modern software stack.