Skip to content

Compromised Nx Console VS Code extension highlights software supply chain risk

If you build software with VS Code, a trusted extension just became a risk you’ll want to understand and act on today.

What happened

A compromised version of the Nx Console extension (18.95.0) was published to the Visual Studio Code Marketplace. The extension reportedly carried a credential-stealing payload intended to harvest CI/CD credentials from developers using it in their workflows. This is a reminder that supply-chain risk can come from trusted tools and that even popular extensions can be misused to reach sensitive systems.

Why it matters

Why this matters to regular users, small teams, creators, and IT professionals alike:

  • Developers: credentials used in CI/CD pipelines can grant access to code repositories, build systems, and cloud resources. A single compromised extension can expose broad access.
  • Small businesses: a single compromised tool can ripple across multiple projects and teams, increasing risk quickly.
  • Creators: trust in extension ecosystems matters; supply-chain compromises can undermine community confidence.
  • IT-minded readers: this highlights the ongoing need for software-supply-chain hygiene and credential management best practices.

Practical steps you can take

  • Check your installed Nx Console version. If you’re on 18.95.0, restart VS Code and consider removing and reinstalling the extension from the official Marketplace.
  • Reinstall Nx Console from the official VS Code Marketplace and monitor for unusual behavior or new permissions.
  • Rotate credentials used in CI/CD pipelines (GitHub Actions, GitLab CI, Azure Pipelines, etc.). Regenerate tokens and update secrets in your environments.
  • Review recent CI/CD activity for suspicious runs or new secrets being used unexpectedly.
  • Limit extension permissions where possible and keep an eye on vendor advisories and platform security notices.
  • Consider adopting SBOM and basic supply-chain security tooling to gain visibility into your dependencies and extensions.

Final thought

Stay vigilant and follow official advisories. Small, proactive steps—like vetting extensions and rotating credentials—can prevent bigger problems down the line.

Leave a Reply

Your email address will not be published. Required fields are marked *