The security community has raised the alarm after detecting a malicious version of the popular Nx Console plugin for VS Code. Variant 18.95.0 contained code designed to steal developer credentials, taking advantage of the trust placed in productivity tools. This incident underscores the need to verify the authenticity of each add-on and keep development environment defenses up to date.
How the supply chain attack operates 🔐
The malicious add-on camouflaged itself as a legitimate update, but in the background it executed scripts that extracted access tokens and API keys stored on the system. By exploiting developer trust, attackers managed to infiltrate the software supply chain. To mitigate this risk, it is recommended to use extensions only from official sources, review requested permissions, and employ integrity monitoring tools in the IDE.
The plugin that wanted to be more productive than you ☕
It turns out the plugin not only helped you compile faster, but also offered to manage your passwords for you. How thoughtful. In the end, the only extension you need is an antivirus with a sense of humor, because between fake updates and friendly code, developers are one click away from giving away our digital keys. Good thing coffee is still safe.