MAL-2026-5161
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/vscode/nrwl.angular-console/MAL-2026-5161.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5161
- Published
- 2026-06-01T07:40:19Z
- Modified
- 2026-06-02T12:15:51.000880813Z
- Summary
- Malicious code in nrwl.angular-console (VSCode)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (12636eadc931d19fc68ca6d30f5397404c6b782a67537c770c944ed9337a4125)
The compromised version of the Nx Console VS Code extension contains malicious code injected into its main execution file. When a developer opens a workspace, the extension triggers a background task to download and execute an obfuscated payload from a remote repository.
This payload performs anti-analysis checks and runs as a daemon to collect sensitive credentials, cloud tokens, and secrets from the developer's environment. The harvested data is exfiltrated via HTTPS, GitHub APIs, and DNS tunneling. The malware also establishes persistence through a macOS LaunchAgent and a Python backdoor, using the GitHub Search API as a command and control channel.
The impact of this compromise includes the potential theft of AWS, GCP, Azure, npm, SSH, and Vault secrets, leading to unauthorized access to internal repositories and infrastructure.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "12636eadc931d19fc68ca6d30f5397404c6b782a67537c770c944ed9337a4125", "source": "google-open-source-security", "modified_time": "2026-06-01T07:41:16.764994635Z", "versions": [ "18.95.0" ], "import_time": "2026-06-02T07:51:59.767145Z" } ] }- References