Security researchers flagged a compromised version of the popular Nx Console extension published to the Microsoft Visual Studio Code Marketplace on 19 May 2026. Once installed, the extension silently fetched and executed a 498 KB obfuscated payload described by researchers as a “multi-stage credential stealer and supply chain poisoning tool.” The payload was designed to harvest developer secrets, environment variables, and authentication tokens before using those credentials to poison downstream build and deployment pipelines.

The incident is part of a broader pattern identified in the DevOps Threat Unwrapped Report 2026 by GitProtect, which found that trusted Git hosting platforms and developer tooling marketplaces became a significant target for criminal groups throughout 2025 and into 2026. AI integrated into DevOps platforms further expands the attack surface, with emerging threat classes including malicious prompt injections, remote code execution through AI-assisted code suggestions, and credential leaks via seemingly harmless developer extensions.

A separate finding from the same report noted that third-party involvement in breaches has doubled to 30% of all incidents, up from roughly 15% the previous year. This underlines how attackers are increasingly using the software supply chain rather than targeting organisations directly.

Steps to take now: audit installed VS Code extensions against their known publisher fingerprints, review extension update policies, enforce developer workstation endpoint controls, and ensure CI/CD pipelines run in isolated environments with scoped credentials. If you need help hardening your development environment or reviewing your DevOps security posture, contact Excello Digital and our team can run a focused assessment.