Nx Console VS Code compromise
How Automic Vault would have prevented the Nx Console extension compromise.
The malicious Nx Console update ran from inside the editor, where developers keep the richest context: repositories, terminals, GitHub auth, cloud CLIs, and password-manager sessions. Automic Vault would have prevented the extension from inheriting that local authority.
Published May 21, 2026
Automic Vault would have prevented the damaging local phase of this incident: the moment malicious package or extension code tried to read workstation secrets, use credential-bearing tools, or install persistence as the developer.
Incident Facts
local execution- Date
- May 18, 2026
- Trigger
- nrwl.angular-console 18.95.0 was published to the Visual Studio Marketplace and Open VSX.
- Local targets
- GitHub auth stores, Vault tokens, npm tokens, cloud metadata and CLI state, SSH keys, .env files, Docker config, GCP ADC, and active 1Password CLI session contents.
- Follow-on behavior
- Payload download from a hidden commit, HTTPS/GitHub/DNS exfiltration, and persistence through local Python and LaunchAgent files.
What Happened?
incident recordNx disclosed that a malicious Nx Console 18.95.0 extension was live on May 18, 2026 in the Visual Studio Marketplace and Open VSX. Nx tied the incident back to an earlier compromised contributor machine that had resolved malicious package content.
StepSecurity reported that the extension downloaded payload code from a hidden commit and ran a credential stealer when the editor opened a workspace. That activation path is especially dangerous because developers trust editor extensions with source trees, terminals, and project automation.
The local target set included GitHub credentials, npm tokens, cloud and Kubernetes material, .env files, Docker config, HashiCorp Vault tokens, and active 1Password CLI sessions. The extension also wrote persistence artifacts on the workstation.
What Actually Failed?
root causeThe editor became the trust boundary, and the editor was too broad. A signed or marketplace-delivered extension update could run with access to the user session and the repository workspace, including auth stores that were never meant for arbitrary extension code.
This is the same ambient-authority failure as a poisoned package, but worse in practice. Editor extensions sit close to source control, agent tooling, terminals, and secrets. A bad update can cross from local workstation compromise into organization-wide source and credential exposure.
Where Automic Vault Would Have Stopped It
preventionEditor-launched code would not read every secret
Automic Vault keeps sensitive values out of plaintext files and model-visible context. A malicious extension would not get raw GitHub, cloud, Vault, and .env material by reading local config paths.
Password-manager and CLI access would be mediated
Active sessions and credential helpers should not become ambient input to extension code. Automic Vault routes approved credential use to trusted tools and shows the target command before access is granted.
Persistence writes would be treated as risky
Writing LaunchAgents, backdoor scripts, or global editor and tool settings is not a normal package read. Those changes belong behind visible local approval and hazard detection.
Why This Is Prevention, Not Just Detection
local boundaryAutomic Vault would have prevented the Nx Console incident from becoming a workstation credential breach by denying the malicious extension the broad local secrets it expected.
The extension could still be bad. The marketplace could still ship version 18.95.0. But without readable GitHub auth stores, cloud secrets, password-manager session material, and silent persistence, the attacker loses the bridge from extension install to durable local compromise.
This is the product lesson: developer tools need a local runtime boundary because trust in an extension marketplace is not the same thing as trust in every extension process that starts on your machine.
Automic Vault does not claim to make npm, PyPI, GitHub Actions, or extension marketplaces impossible to compromise. The prevention claim is narrower and more useful: compromised tools should not inherit every credential and sensitive path on a developer machine.