Postmortem: Nx Console v18.95.0 supply-chain compromise

In a security incident involving the Nx Console VS Code extension, a malicious version (v18.95.0) was briefly published to the Visual Studio Marketplace and Open VSX registry on May 18, 2026, due to a supply-chain compromise originating from TanStack. The attack exploited a credential-stealing payload that had been silently exfiltrated from a contributor's machine, allowing an attacker to publish the malicious extension under the guise of a legitimate contributor. This version included a credential-harvesting payload that put users' sensitive information at risk. The extension was live for a short window—approximately 11 minutes on Visual Studio Marketplace and 36 minutes on Open VSX—before being unpublished, following rapid detection and response by maintainers. Despite the quick response, internal analytics suggest a potentially larger number of affected users than initially reported, prompting a comprehensive credential rotation and hardening of the publishing pipeline to prevent future incidents. The incident highlighted several security vulnerabilities, including insufficiently enforced release policies, lack of monitoring for suspicious activities, and the need for dual-approval processes in publishing workflows. It was determined that the Nx CLI, plugins, and Nx Cloud were not impacted by this breach.