A critical supply chain vulnerability in the Nx Console VS Code extension, currently being exploited in the wild, requires immediate update to protect developer environments.

This is a critical supply chain attack (CWE-506) where a malicious version of the Nx Console extension was published to official marketplaces. The extension contains embedded malicious code designed to steal sensitive developer credentials, including GitHub tokens and cloud secrets.

With a CVSS score of 9.5, this vulnerability represents an extreme risk to organizational security. Compromised developer credentials can lead to unauthorized access to source code repositories, cloud infrastructure, and internal systems, facilitating large-scale data breaches.

Immediate Action: Update the Nx Console VS Code extension to version 18.100.0 or later immediately.

Proactive Monitoring: Rotate all potentially exposed developer credentials, including GitHub tokens, cloud API keys, and other secrets stored on machines that had version 18.95.0 installed.

Compensating Controls: Implement strict endpoint monitoring to detect anomalous outbound connections from developer workstations.

Public Exploit Available: false

This is an urgent supply chain security issue. Beyond simply updating the software, organizations must assume that any machine running version 18.95.0 is compromised and perform a full credential rotation for all secrets managed on those devices.