Compromised Nx Console 18.95.0 Delivers Credential Stealer to 2.2M VS Code Users

A malicious version of the Nx Console extension (rwl.angular-console v18.95.0) was published to the VS Code Marketplace, targeting developers using VS Code, Cursor, and JetBrains. The extension has more than 2.2 million installations, making the blast radius substantial. Version 18.95.0 contained a credential stealer designed to harvest secrets accessible from the developer’s environment. Developers who installed or auto-updated to version 18.95.0 should remove it immediately, audit for exfiltrated credentials, and rotate any API keys, tokens, or secrets stored in the affected environment. The incident follows a pattern of supply chain attacks targeting developer tooling distributed via extension marketplaces.