Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: nx (1 article)Clear

Nx Console 18.95.0 VS Code extension compromised in 11-minute window - kitty.py persistence and credential theft

The Nx team has confirmed that version 18.95.0 of its VS Code extension was malicious and that a few users were compromised. The bad version was available on the marketplace for only 11 minutes on May 18 (12:36 to 12:47 UTC), but that was enough to plant Python-based persistence under ~/.local/share/kitty/cat.py and a macOS LaunchAgent at com.user.kitty-monitor.plist, then steal tokens, secrets, and SSH keys reachable from the machine. The Nx team has shipped a clean 18.100.0 release and published indicators of compromise. This is the second time Nx has been targeted within a year, after the August 2025 s1ngularity supply-chain attack on its npm packages.

Check
Identify VS Code endpoints with the Nx Console extension. Check for ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*, or any process with __DAEMONIZED=1.
Affected
Anyone who installed Nx Console 18.95.0 from the VS Code marketplace during the 11-minute window on May 18 (12:36-12:47 UTC). A few users are confirmed affected.
Fix
Update Nx Console to 18.100.0. Kill malicious processes, delete IoC files, remove the LaunchAgent, and rotate every credential reachable from the developer machine - tokens, secrets, SSH keys.