#github-actions

A compromised version of the Nx Console extension for VS Code has been discovered stealing credentials from over 2.2 million developers. Version 18.95.0 of the popular extension (rwl.angular-console) contained a multi-stage credential stealer that silently harvested secrets from developer workstations within seconds of opening any workspace.

The Attack Vector

The breach originated from a compromised developer machine that leaked GitHub credentials. Attackers used these credentials to push an unsigned orphan commit to the official nrwl/nx repository, introducing stealer malware that triggered immediately upon workspace initialization.

The malicious payload, a 498 KB obfuscated script, was fetched from a dangling orphan commit hidden inside the official repository. It launched as a detached background process and began harvesting credentials from:

- 1Password vaults - Anthropic Claude Code configurations - npm tokens - GitHub credentials - AWS secrets

Sigstore Integration: A Dangerous Capability

What makes this attack particularly dangerous is the payload's full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation. Combined with stolen npm OIDC tokens, attackers could publish downstream npm packages with valid, cryptographically signed provenance attestations—making malicious packages appear as legitimate, verified builds.

Indicators of Compromise

The Nx team confirmed that a "few users were compromised" during the exposure window: May 18, 2026, 2:36 PM CEST to 2:47 PM CEST (approximately 11 minutes).

Affected users should check for:

- Files: ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-* - Processes: Python running cat.py or any process with __DAEMONIZED=1 in environment variables

Remediation

Developers must update to Nx Console version 18.100.0 or later immediately. If version 18.95.0 was installed during the exposure window, all credentials reachable from the affected machine must be rotated—including tokens, secrets, and SSH keys.

Reflection

This marks the second time the Nx ecosystem has been targeted within a year. In August 2025, the s1ngularity campaign infected several npm packages with credential stealers. The shift from npm packages to VS Code extensions represents an evolution in supply chain attacks: instead of waiting for a build pipeline to execute malicious code, attackers now compromise the developer's workstation directly.

A sophisticated supply chain attack has compromised the popular actions-cool/issues-helper GitHub Action, redirecting all existing tags to imposter commits designed to steal CI/CD credentials. The attack represents a new evolution in software supply chain exploitation, bypassing traditional code review processes entirely.

The Imposter Commit Technique

Unlike traditional supply chain attacks that inject malicious code through pull requests or direct commits, this attack used "imposter commits"—deceptive references that point to malicious code existing only in an adversary-controlled fork, rather than the original trusted repository.

StepSecurity researcher Varun Sharma explained: "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action."

How the Attack Worked

When a GitHub Actions workflow referenced the compromised action by version tag, the following sequence occurred:

- The workflow pulled the malicious commit (thinking it was legitimate) - The action downloaded the Bun JavaScript runtime to the runner - It read memory from the Runner.Worker process to extract credentials - Stolen data was exfiltrated via HTTPS to t.m-koschecom

Connection to Mini Shai-Hulud Campaign

The exfiltration domain overlaps with the Mini Shai-Hulud campaign that recently compromised @antv npm packages, suggesting both attacks are part of a coordinated operation. Philipp Burckhardt, head of threat intelligence at Socket, confirmed: "That points to the same Mini Shai-Hulud activity cluster, not a separate npm-only incident."

Scope of Compromise

In addition to issues-helper, 15 tags associated with actions-cool/maintain-one-comment were also compromised with identical functionality. GitHub has since disabled access to both repositories due to violations of its terms of service.

StepSecurity warned: "Because every tag now resolves to malicious commits, any workflow that references the action by version pulls the malicious code on its next run. Only workflows pinned to a known-good full commit SHA are unaffected."

Remediation

Organizations using these actions must:

- Immediately remove references to actions-cool/issues-helper and actions-cool/maintain-one-comment - Rotate all CI/CD credentials that may have been exposed - Pin future actions to full commit SHAs instead of version tags - Monitor outbound connections from CI/CD runners for suspicious domains

Reflection

The imposter commit technique demonstrates a fundamental weakness in how GitHub Actions resolves dependencies. Tags are mutable references that can be rewritten by anyone with write access to a repository—whether that access was obtained legitimately or through compromise.