Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Cybersecurity researchers identified a compromised Nx Console VS Code extension (rwl.angular-console v18.95.0) that silently fetched and executed an obfuscated payload from an orphan commit in the upstream repository, spawning a multi-stage credential stealer and supply-chain poisoning toolkit. The malware harvested a wide range of developer secrets (1Password, Claude/Anthropic configurations, npm/GitHub/AWS tokens), installed a macOS Python backdoor that uses the GitHub Search API as a dead-drop, and included Sigstore integration enabling issuance of provenance-signed malicious npm packages. The maintainers recommended updating to v18.100.0+, terminating suspicious processes, removing on-disk artifacts, and rotating all reachable credentials; the report also lists explicit IoCs (files, processes, and timestamps) and details numerous related malicious npm packages and campaigns.