At 12:36 UTC on Monday, an attacker pushed a malicious build of Nx Console, a Visual Studio Code extension with more than 2.2 million installs, to the Microsoft marketplace. At 12:47 UTC, the Nx team pulled it. In the 11 minutes in between, every editor running auto-updates fetched the new version, and every workspace a developer opened triggered a 498-kilobyte payload that quietly went looking for the keys to that developer’s working life: GitHub tokens, npm credentials, AWS keys, HashiCorp Vault secrets, Kubernetes config, 1Password vault material, and, for the first time in a publicly documented supply-chain incident, the settings file used by Anthropic’s Claude Code.
The compromised version is Nx Console 18.95.0, published under the marketplace identifier nrwl.angular-console. The clean version that users are now asked to install is 18.100.0. The official advisory, published on GitHub as GHSA-c9j4-9m59-847w, confirms the timeline and the root cause: a contributor’s personal GitHub credentials were stolen in a separate supply-chain incident, and the attacker used them to push a single orphan commit into the nrwl/nx repository and then publish to the marketplace using the project’s stored VSCE_PAT credential.
The 11-minute window matters less than it sounds like it should. VS Code installs extension updates in the background; a developer who opened the editor anywhere in that 11-minute slice, with auto-update on, received the trojaned build without prompting. From the moment the editor opened a workspace, the malicious main.js fetched its second-stage payload, 498 kilobytes of obfuscated JavaScript, from a dangling orphan commit hidden inside the legitimate nrwl/nx repository, and began enumerating the developer’s machine.
What the dropper looked for
StepSecurity’s reverse-engineering of the payload, corroborated by independent analysis at The Hacker News and Cybersecurity News, lists a long and unusually specific target set. It walked the standard locations first: shell histories, .npmrc, .aws/credentials, .ssh, the macOS Keychain, and the IMDS and ECS metadata endpoints that cloud workloads use to bootstrap their own credentials. It scraped process memory through /proc/*/mem on Linux. It looked for HashiCorp Vault tokens and 1Password local vault files. None of that is novel; credential-stealer kits have done all of that for years.
What is novel is the line, called out by both StepSecurity and Anthropic-adjacent researchers, that targets ~/.claude/settings.json, the configuration file used by Anthropic’s Claude Code coding assistant. That file is where many developers store the API keys they use to authorize Claude Code sessions, alongside MCP server tokens and project-scoped configuration. Treating it as a worthwhile target is a signal that the attacker, or the kit author the attacker bought from, has updated their mental model of what lives on a developer’s laptop. Claude Code keys join GitHub tokens and AWS credentials on the list of things worth stealing.
Exfiltration ran over three independent channels: HTTPS POST, the GitHub API, and DNS tunneling. The redundancy is not subtle. If one outbound path is blocked by a corporate proxy, another may still make it out. On macOS, the payload installed a small Python backdoor that polls the public GitHub Search API as a dead drop, retrieving instructions encoded in search-result metadata and verifying them with a 4,096-bit RSA signature before executing. That is a longer game than smash-and-grab; somebody wanted persistence.
This compromise occurred due to a recent supply chain attack that scraped one of our contributor’s GitHub token. — Nx maintainers, official advisory GHSA-c9j4-9m59-847w, May 18, 2026
How a single token unlocked a marketplace publish
The chain of trust that broke here is worth naming, because it is the chain of trust most open-source projects sit inside. The attacker did not breach Microsoft’s marketplace, and they did not breach the Nx organization’s GitHub account. They compromised one contributor’s laptop in a separate, earlier incident (Nx has not named the upstream attack, but the maintainers have confirmed the credentials were stolen there) and used the resulting personal access token to push to the nrwl/nx repository. From there, the project’s own publishing pipeline, which any one trusted contributor could trigger without a second sign-off, took the new build and shipped it under the project’s VSCE_PAT to the VS Code Marketplace.
Nx’s post-incident hardening, announced alongside the advisory, requires two administrators to approve any future Nx Console release. That is the obvious fix and the right one, but the broader pattern is worth flagging: nearly every popular editor extension, npm package, and language-package-manager artifact in the world is one trusted contributor’s laptop away from publishing whatever the attacker wants. The 2024 xz-utils backdoor, the 2025 nx ransomware incident, the April 2026 Checkmarx KICS Docker compromise, the May 11 cross-registry worm that GitGuardian and Expel called Mini Shai Hulud all share the same shape. Steal a maintainer credential, push a build, wait for the install count to climb. The targets get more lucrative, and the dwell time between push and detection gets shorter, but the model does not change.
Who was actually hit
This is the part the public reporting cannot yet answer with precision. The Visual Studio Code Marketplace does not publish per-version download counts at hourly resolution, and the Nx team has not released an estimate of how many of its 2.2 million installed editors fetched 18.95.0 in the 11-minute window. A reasonable order-of-magnitude bound is the share of users with auto-update enabled, which is the default, multiplied by the share who opened a VS Code workspace between 12:36 and the moment the editor next polled the marketplace. That number is meaningful, but it is not in the public record yet, and any reporter who gives you a precise figure for "developers infected" is reading tea leaves.
What is in the record is the remediation list, and it is long. Anybody who ran VS Code with Nx Console installed and auto-update enabled during the window should treat their developer credentials as compromised: rotate GitHub personal access tokens, npm tokens, AWS access keys, HashiCorp Vault tokens, 1Password recovery keys, SSH keys touched on that machine, and, the new entry, Anthropic API keys and any MCP server tokens stored in ~/.claude/settings.json. Several of those rotations are unpleasant. A few of them, particularly Vault tokens used as the trust anchor for further automation, may take weeks to fully unwind.
The Claude Code line is the one to watch
It would be easy to read the ~/.claude/settings.json line as a footnote, and most coverage has. It is not a footnote. The economics of credential theft are driven by what the stolen credentials let the attacker buy. A GitHub token lets the attacker push code. An AWS access key lets them spin up compute. An Anthropic API key lets them spend somebody else’s budget on model inference, and, just as importantly, gives them an AI coding assistant tethered to the victim’s identity, with whatever workspace context the victim had built up.
The second-order risk there is not just bill-stuffing. An attacker who has stolen a developer’s Claude Code session can ask that assistant to read the developer’s private repositories, summarize the developer’s recent prompts and likely projects, and, if MCP servers are wired to internal systems, query whatever those servers expose. As more developers attach AI coding assistants to their working environments, those configuration files become a single point of pivot from "machine compromise" to "context compromise." That category, as far as Moxley can find, has not appeared as an explicit target in a public supply-chain payload before this week. It will not be the last.
What this story is not
It is not yet a mass-compromise event. There is no public victim list, no named threat actor taking credit, no CISA advisory or Known Exploited Vulnerabilities entry attached to this specific incident at the time of writing. The 11-minute window genuinely is short by supply-chain-attack standards, and the Nx team’s detection-to-takedown speed deserves the credit it is being given. What it is, instead, is a clean illustration of two things at once: a publishing pipeline that one stolen laptop could ride from contributor commit to marketplace push, and a credential-stealer kit that has been updated to know what an AI coding assistant looks like on disk. Both of those facts are going to outlast this incident.