Back

Supply Chain Attack Targets Microsoft Entra ID via Compromised Nx Console Extension

Severity: High (Score: 64.5)

Sources: Cybersecuritynews, Aikido.Dev, Thehackernews

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: code, compromised, console, microsoft, learn, targeted, developers

Severity indicators: stealer, credential stealer

Summary

On May 18, 2026, a compromised version of the Nx Console VS Code extension was uploaded to the Visual Studio Code Marketplace, targeting developer credentials and cloud infrastructure tokens. This attack exploited vulnerabilities in the Nx ecosystem, marking the second supply chain incident in less than a year. Developers using Nx Console 18.95.0 are particularly at risk, with potential data exfiltration from Microsoft 365 and Azure environments. The attack is believed to have affected thousands of machines, emphasizing the need for heightened security measures in software supply chains. As of now, the incident is under investigation, and users are advised to monitor their systems for unusual activity. Key Points: • A compromised Nx Console extension was published on May 18, 2026. • The attack targets developer credentials and cloud infrastructure tokens. • This incident marks the second supply chain attack against the Nx ecosystem in under a year.

Detailed Analysis

**Impact** Thousands of machines running the compromised Nx Console VS Code extension version 18.95.0 were affected globally, primarily targeting developers using Microsoft Entra ID accounts. The attack exposed developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets, risking unauthorized access to Microsoft 365 and Azure data. This supply chain compromise impacts software development and cloud operations sectors, potentially disrupting business workflows and data confidentiality. **Technical Details** The attack vector was a malicious update to the Nx Console extension published on May 18, 2026, in the Visual Studio Code Marketplace. The threat actor deployed a credential stealer targeting Microsoft Entra ID accounts to exfiltrate sensitive tokens and secrets. No CVEs or specific malware names were disclosed. The compromise represents a supply chain attack at the initial access and credential theft stages of the kill chain. No IOCs were provided in the available sources. **Recommended Response** Immediately audit and revoke potentially compromised Microsoft Entra ID credentials and cloud tokens associated with Nx Console users. Remove or update the Nx Console extension to a verified clean version and monitor for unusual authentication or data exfiltration activity. Deploy detections focused on credential theft behaviors and anomalous access to Microsoft 365 and Azure resources. No patch or specific configuration changes were detailed; continuous monitoring of developer environments is advised.

Source articles (4)

  • Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer — Thehackernews · 2026-05-19
    Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points. Learn how to validate real attack paths and reduce exploitable risk with continuous age…
  • Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets — Cybersecuritynews · 2026-05-19
    A widely used Visual Studio Code extension was quietly turned into a credential-stealing tool in May 2026, putting millions of developers at serious risk without warning. The Nx Console extension, whi…
  • The Wild West of VS Code extensions and how a poisoned extension breached GitHub — Aikido.Dev · 2026-05-20
    It's been a hard week for GitHub. Yesterday GitHub confirmed it had been breached . The attackers reportedly pulled data from roughly 4,000 internal repositories , and the entry point was a poisoned V…
  • Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data — Cybersecuritynews · 2026-05-19
    A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructur…

Timeline

  • 2026-05-18 — Compromised Nx Console extension published: A malicious version of Nx Console 18.95.0 was uploaded to the VS Code Marketplace, targeting developers.
  • 2026-05-19 — Incident reported and investigated: Cybersecurity experts began investigating the supply chain attack affecting Microsoft Entra ID accounts.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Microsoft (Company)
  • Nx (Company)
  • Azure (Company)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Microsoft 365 (Platform)
  • Microsoft Entra ID (Platform)
  • Visual Studio Code (Platform)
  • Visual Studio Code Marketplace (Platform)
  • Nx Console (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed