Hackers Abuse Entra ID to Exfiltrate Microsoft Accounts Azure
On May 18, 2026, a compromised version of the The incident marks the second supply chain attack against the Nx ecosystem in under a year, raising serious concerns about the security of open-source...
On May 18, 2026, a compromised version of the
Table Of Content
The incident marks the second supply chain attack against the Nx ecosystem in under a year, raising serious concerns about the security of open-source developer tooling relied upon by millions worldwide.
Version 18.95.0 of the extension, identified as nrwl.angular-console, was pushed to the marketplace with malicious code hidden inside its bundled main.js file.
With over 2.2 million installations across the globe, the extension is a daily staple in many professional development environments.
Within seconds of a developer opening any workspace, the compromised extension silently fetched and ran a 498 KB obfuscated payload pulled from a hidden orphan commit buried deep inside the official nrwl/nx GitHub repository.
Researchers at StepSecurity identified the full attack and illustrated in a report shared with Cyber Security News, a detailed breakdown of its complex, multi-stage infection chain.
The payload is described as a sophisticated credential stealer that reaches far beyond simple file theft, targeting GitHub tokens, npm credentials, AWS secrets, HashiCorp Vault tokens, Kubernetes configurations, and even 1Password vault items that were accessible through the command line.
The malicious version remained live for just eleven minutes before the Nx team detected the rogue publish and removed it from the marketplace at 12:47 UTC.
Despite that short window, the threat actor had designed the payload to operate with speed, daemonizing itself in the background and running multiple credential collectors simultaneously to maximize the volume of secrets harvested before anyone could intervene.
What makes this attack especially alarming is its use of Sigstore attestation logic, which could give the attacker the ability to publish downstream npm packages carrying valid, cryptographically signed provenance.
This means packages touched by the attacker could pass standard signature verification checks, potentially spreading the damage well beyond the developer machines that were directly exposed during the eleven-minute compromise window.
Hackers Abuse Microsoft Entra ID Accounts
The attack started when a contributor’s GitHub personal access token was stolen during a separate, earlier supply chain incident.
Using that stolen token, the attacker pushed an orphan commit, referenced as 558b09d7, to the nrwl/nx repository at 03:18 UTC.
This commit had no parent commits and was completely unreachable from any branch, making it invisible to anyone who did not already know the exact SHA.
The orphan commit replaced the entire Nx monorepo with just two files: a package.json and a heavily obfuscated index.js payload.
At 12:36 UTC, the attacker then used stolen VS Code Marketplace publishing credentials to release the poisoned extension, which was configured to silently fetch and execute that hidden payload the moment a developer opened any workspace, all without showing any visible sign of unusual activity.
Credential Theft and Persistent Backdoor
The payload ran six specialized collector classes simultaneously, each built to harvest a different category of secrets.
On Linux systems, it also probed for passwordless sudo access, and if successful, injected a sudoers rule to establish persistent root-level access on the affected host.
On macOS, the payload installed a Python-based backdoor at ~/.local/share/kitty/cat.py, registered as a LaunchAgent to run automatically every hour.
This backdoor used the GitHub Search API as a covert command-and-control channel, polling for attacker-signed instructions every sixty minutes, an approach that blends in naturally with normal developer traffic and is unlikely to trigger alerts from corporate firewalls or endpoint detection tools.
Anyone who had Nx Console installed with auto-update enabled and opened a workspace between 12:36 and 12:47 UTC on May 18 should treat their machine as fully compromised.
StepSecurity recommends updating immediately to version 18.100.0 or later, removing all persistence artifacts, killing orphaned background processes, and rotating every credential reachable from the affected machine, including GitHub tokens, npm tokens, SSH keys, AWS credentials, and any secrets that were held in process memory at the time of compromise.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 Hash | 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 |
Malicious VSIX file (v18.95.0) |
| SHA-256 Hash | b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 |
Malicious main.js inside the VSIX |
| SHA-256 Hash | e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 |
Obfuscated payload index.js from orphan commit |
| SHA-256 Hash | 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 |
Dropper package.json from orphan commit |
| SHA-256 Hash | 228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3 |
Clean VSIX (v18.94.0) for reference comparison |
| SHA-256 Hash | cb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990 |
Remediated VSIX (v18.100.0) |
| Git SHA | 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 |
Malicious orphan commit in nrwl/nx |
| Git SHA | ba642fe2c7c65e42dd7f6444b83023dc6827e08c |
Commit tree of orphan commit |
| Git SHA | acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf |
index.js blob SHA |
| Git SHA | 9d88f040c44b5f4d5f9db15ff89310776c168e99 |
package.json blob SHA |
| URL | api.github.com/search/commits?q=firedalazer |
Python C2 backdoor dead-drop polling endpoint |
| IP Address | 169.254.169.254 |
AWS IMDS endpoint queried for credential theft |
| IP Address | 169.254.170.2 |
ECS container metadata endpoint targeted |
| IP Address | 127.0.0.1:8200 |
HashiCorp Vault local endpoint targeted |
| Domain | fulcio.sigstore.dev |
Used for Sigstore attestation forgery |
| Domain | rekor.sigstore.dev |
Used for Sigstore transparency log entries |
| Domain | bun.sh/install |
Bun runtime installation for payload execution |
| File Path | ~/.local/share/kitty/cat.py |
Python C2 backdoor dropped on macOS/Linux |
| File Path | ~/Library/LaunchAgents/com.user.kitty-monitor.plist |
macOS LaunchAgent for hourly persistence |
| File Path | /var/tmp/.gh_update_state |
C2 anti-replay state file |
| File Path | /tmp/kitty-* |
Temporary staging directories used by payload |
| Extension Version | [email protected] |
Compromised VS Code extension version |
| Environment Variable | __DAEMONIZED=1 |
Set on daemonized malicious background process |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.