Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data
Cybersecurity NewsArchived May 19, 2026✓ Full text saved
A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets across thousands of machines. The incident marks the second supply chain attack against the Nx ecosystem in under a year, […] The post Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data
By Tushar Subhra Dutta
May 19, 2026
A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets across thousands of machines.
The incident marks the second supply chain attack against the Nx ecosystem in under a year, raising serious concerns about the security of open-source developer tooling relied upon by millions worldwide.
Version 18.95.0 of the extension, identified as nrwl.angular-console, was pushed to the marketplace with malicious code hidden inside its bundled main.js file.
With over 2.2 million installations across the globe, the extension is a daily staple in many professional development environments.
Within seconds of a developer opening any workspace, the compromised extension silently fetched and ran a 498 KB obfuscated payload pulled from a hidden orphan commit buried deep inside the official nrwl/nx GitHub repository.
Researchers at StepSecurity identified the full attack and illustrated in a report shared with Cyber Security News, a detailed breakdown of its complex, multi-stage infection chain.
The payload is described as a sophisticated credential stealer that reaches far beyond simple file theft, targeting GitHub tokens, npm credentials, AWS secrets, HashiCorp Vault tokens, Kubernetes configurations, and even 1Password vault items that were accessible through the command line.
The malicious version remained live for just eleven minutes before the Nx team detected the rogue publish and removed it from the marketplace at 12:47 UTC.
Despite that short window, the threat actor had designed the payload to operate with speed, daemonizing itself in the background and running multiple credential collectors simultaneously to maximize the volume of secrets harvested before anyone could intervene.
What makes this attack especially alarming is its use of Sigstore attestation logic, which could give the attacker the ability to publish downstream npm packages carrying valid, cryptographically signed provenance.
This means packages touched by the attacker could pass standard signature verification checks, potentially spreading the damage well beyond the developer machines that were directly exposed during the eleven-minute compromise window.
Hackers Abuse Microsoft Entra ID Accounts
The attack started when a contributor’s GitHub personal access token was stolen during a separate, earlier supply chain incident.
Using that stolen token, the attacker pushed an orphan commit, referenced as 558b09d7, to the nrwl/nx repository at 03:18 UTC.
Storm-2949 attack (Source – Microsoft)
This commit had no parent commits and was completely unreachable from any branch, making it invisible to anyone who did not already know the exact SHA.
The orphan commit replaced the entire Nx monorepo with just two files: a package.json and a heavily obfuscated index.js payload.
At 12:36 UTC, the attacker then used stolen VS Code Marketplace publishing credentials to release the poisoned extension, which was configured to silently fetch and execute that hidden payload the moment a developer opened any workspace, all without showing any visible sign of unusual activity.
Credential Theft and Persistent Backdoor
The payload ran six specialized collector classes simultaneously, each built to harvest a different category of secrets.
On Linux systems, it also probed for passwordless sudo access, and if successful, injected a sudoers rule to establish persistent root-level access on the affected host.
On macOS, the payload installed a Python-based backdoor at ~/.local/share/kitty/cat.py, registered as a LaunchAgent to run automatically every hour.
This backdoor used the GitHub Search API as a covert command-and-control channel, polling for attacker-signed instructions every sixty minutes, an approach that blends in naturally with normal developer traffic and is unlikely to trigger alerts from corporate firewalls or endpoint detection tools.
Anyone who had Nx Console installed with auto-update enabled and opened a workspace between 12:36 and 12:47 UTC on May 18 should treat their machine as fully compromised.
StepSecurity recommends updating immediately to version 18.100.0 or later, removing all persistence artifacts, killing orphaned background processes, and rotating every credential reachable from the affected machine, including GitHub tokens, npm tokens, SSH keys, AWS credentials, and any secrets that were held in process memory at the time of compromise.
Indicators of Compromise (IoCs)
Type Indicator Description
SHA-256 Hash 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 Malicious VSIX file (v18.95.0)
SHA-256 Hash b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 Malicious main.js inside the VSIX
SHA-256 Hash e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 Obfuscated payload index.js from orphan commit
SHA-256 Hash 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 Dropper package.json from orphan commit
SHA-256 Hash 228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3 Clean VSIX (v18.94.0) for reference comparison
SHA-256 Hash cb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990 Remediated VSIX (v18.100.0)
Git SHA 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 Malicious orphan commit in nrwl/nx
Git SHA ba642fe2c7c65e42dd7f6444b83023dc6827e08c Commit tree of orphan commit
Git SHA acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf index.js blob SHA
Git SHA 9d88f040c44b5f4d5f9db15ff89310776c168e99 package.json blob SHA
URL api.github.com/search/commits?q=firedalazer Python C2 backdoor dead-drop polling endpoint
IP Address 169.254.169.254 AWS IMDS endpoint queried for credential theft
IP Address 169.254.170.2 ECS container metadata endpoint targeted
IP Address 127.0.0.1:8200 HashiCorp Vault local endpoint targeted
Domain fulcio.sigstore.dev Used for Sigstore attestation forgery
Domain rekor.sigstore.dev Used for Sigstore transparency log entries
Domain bun.sh/install Bun runtime installation for payload execution
File Path ~/.local/share/kitty/cat.py Python C2 backdoor dropped on macOS/Linux
File Path ~/Library/LaunchAgents/com.user.kitty-monitor.plist macOS LaunchAgent for hourly persistence
File Path /var/tmp/.gh_update_state C2 anti-replay state file
File Path /tmp/kitty-* Temporary staging directories used by payload
Extension Version nrwl.angular-console@18.95.0 Compromised VS Code extension version
Environment Variable __DAEMONIZED=1 Set on daemonized malicious background process
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers
Hackers Hijack Microsoft Teams Users Account to Deliver ModeloRAT
TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps
Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions
Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks
Latest News
Cyber Security News
Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild
Cyber Security News
Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE
Cyber Security News
Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable
Cyber Attack News
Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets
Cyber Security News
CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks