Nx Console Malicious Code Injection Vulnerability Allowing Credential Theft

A supply chain attack compromised the Nx Console VSCode extension, specifically version 18.95.0, which was available on the Visual Studio Marketplace and OpenVSX. The malicious version, published by an attacker who gained access through a previous compromise, included code that harvested credentials and tokens from various sources, such as GitHub, AWS, and HashiCorp Vault. The attack was executed via a Python backdoor that communicated with the attacker's infrastructure, allowing for remote access and further exploitation.

Impact

The vulnerability led to a significant breach, with the attacker exfiltrating credentials from multiple sources, including GitHub, AWS, and HashiCorp Vault. This breach allowed the attacker to access sensitive tokens and secrets, potentially leading to unauthorized actions on behalf of the victim.

Reproduction

The vulnerability was reproduced by publishing a malicious version of the Nx Console extension to the Visual Studio Marketplace and OpenVSX. This was done by injecting malware into the extension package, which was then executed when the extension was activated in the user's IDE. The malware included a backdoor that polled the GitHub API for commands, allowing the attacker to execute further actions on the compromised machine.

Remediation

Users should update Nx Console to version 18.100.0 or later. After updating, it is important to remove any persistence artifacts left by the malware, such as the Python backdoor and the LaunchAgent on macOS. Additionally, all credentials that were on disk or could have been minted by the 'op', 'gcloud', 'aws sts', or 'gh' commands during the exposure window should be rotated.