thehackernews.com web signal

Nx Console extension hijacked to steal Claude Code secrets

cybersecurity coding tools supply-chain-attack developer-security

Key insights

  • A stolen contributor GitHub token was the sole root cause, granting both repository push and VS Code Marketplace publishing access.
  • The payload explicitly targeted Claude Code config files (~/.claude/settings.json), marking AI assistant credentials as a new supply chain theft category.
  • Eleven minutes of marketplace availability was sufficient to reach developers via automatic updates across a 2.2-million-install extension.

Why this matters

AI coding assistants store API keys and session tokens in local config files that developers rarely treat as sensitive secrets, and this attack demonstrates that supply chain adversaries have now catalogued those files as primary exfiltration targets alongside cloud credentials. For founders and technical leaders building on Claude Code or similar tools, this raises an immediate question about whether ~/.claude/settings.json and equivalent files are excluded from backup sync tools, logged by endpoint detection, or rotated after any suspected extension compromise. The VS Code Marketplace's auto-update model means the blast radius of any future extension compromise scales directly with install count, and with AI coding assistants now embedded in millions of developer workflows, the credential surface has quietly expanded well beyond what most security teams have modeled.

Summary

A compromised version of the Nx Console VS Code extension reached 2.2 million developers on May 18 before the Nx team yanked it eleven minutes after publication — a window short enough to seem harmless but long enough for automatic updates to deliver a 498KB obfuscated payload to an unknown number of machines. The attack vector was a stolen GitHub contributor token that gave the attacker push access to both the nrwl/nx repository and the VS Code Marketplace publishing pipeline. The payload exfiltrated credentials across a broad surface: GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password secrets moved out over HTTPS, the GitHub API, and DNS tunneling simultaneously. Essentially: (Nrwl/Nx, Microsoft VS Code Marketplace) the trust model for IDE extensions just got stress-tested against a real adversary. - The payload specifically targeted ~/.claude/settings.json, making this one of the first documented supply chain attacks designed to harvest AI coding assistant credentials. - Root cause was a single stolen contributor token, not a breach of Nx core infrastructure. - The 11-minute live window is deceptively short: VS Code's auto-update behavior means exposure was driven by install base size, not window length. Developer tooling has always been a high-value supply chain target, but the explicit inclusion of Claude Code config files signals that AI assistant credentials are now considered primary loot alongside cloud and secrets-manager keys.

Potential risks and opportunities

Risks

  • Developers who had the extension auto-update on May 18 and have not rotated GitHub, npm, and AWS credentials remain exposed if exfiltrated tokens have not yet been used by the attacker.
  • Anthropic faces pressure to harden Claude Code's local credential storage model — if ~/.claude/settings.json becomes a known target, any future extension or package compromise will specifically probe that path.
  • Microsoft and the VS Code Marketplace face scrutiny over publisher token security controls; other high-install-count extensions (ESLint, Prettier, GitLens) with multi-contributor publishing pipelines represent the same attack surface and may draw probing attempts within the next 30-60 days.

Opportunities

  • Secrets scanning and developer security vendors (GitGuardian, Trufflesecurity, Snyk) can position AI assistant config files as a new detection category and expect accelerated budget conversations at enterprises running Claude Code or Copilot at scale.
  • Sigstore and supply chain integrity tooling providers (Chainguard, Socket.dev) gain a concrete, named incident to anchor enterprise sales cycles around IDE extension provenance and signed publishing workflows.
  • Anthropic has a clear product opportunity to move Claude Code credentials out of plaintext local config files and into OS-level keychain or token-scoped short-lived credentials, differentiating on security posture against GitHub Copilot and Cursor.

What we don't know yet

  • How many of the 2.2 million installations received the malicious update during the 11-minute window — Nx and Microsoft had not disclosed an affected-device count as of May 20.
  • Whether Microsoft has implemented additional publisher-token validation or signing requirements for VS Code Marketplace following this incident.
  • Attribution of the stolen contributor token remains unconfirmed — no threat actor group or initial access method (phishing, credential stuffing, prior breach) has been named publicly.

Originally reported by thehackernews.com

Read the original article →

Original headline: Nx Console VS Code Extension Hijacked in Supply Chain Attack — Credential Stealer Targets Developer Secrets and Claude Code Config Files in 11-Minute Window