CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets across thousands of machines. The incident marks the second supply chain attack against the Nx ecosystem in under a year, […] The post Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data By Tushar Subhra Dutta May 19, 2026 A compromised version of the widely used Nx Console VS Code extension was published to the Visual Studio Code Marketplace on May 18, 2026, silently targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets across thousands of machines. The incident marks the second supply chain attack against the Nx ecosystem in under a year, raising serious concerns about the security of open-source developer tooling relied upon by millions worldwide. Version 18.95.0 of the extension, identified as nrwl.angular-console, was pushed to the marketplace with malicious code hidden inside its bundled main.js file. With over 2.2 million installations across the globe, the extension is a daily staple in many professional development environments. Within seconds of a developer opening any workspace, the compromised extension silently fetched and ran a 498 KB obfuscated payload pulled from a hidden orphan commit buried deep inside the official nrwl/nx GitHub repository. Researchers at StepSecurity identified the full attack and illustrated in a report shared with Cyber Security News, a detailed breakdown of its complex, multi-stage infection chain. The payload is described as a sophisticated credential stealer that reaches far beyond simple file theft, targeting GitHub tokens, npm credentials, AWS secrets, HashiCorp Vault tokens, Kubernetes configurations, and even 1Password vault items that were accessible through the command line. The malicious version remained live for just eleven minutes before the Nx team detected the rogue publish and removed it from the marketplace at 12:47 UTC. Despite that short window, the threat actor had designed the payload to operate with speed, daemonizing itself in the background and running multiple credential collectors simultaneously to maximize the volume of secrets harvested before anyone could intervene. What makes this attack especially alarming is its use of Sigstore attestation logic, which could give the attacker the ability to publish downstream npm packages carrying valid, cryptographically signed provenance. This means packages touched by the attacker could pass standard signature verification checks, potentially spreading the damage well beyond the developer machines that were directly exposed during the eleven-minute compromise window. Hackers Abuse Microsoft Entra ID Accounts The attack started when a contributor’s GitHub personal access token was stolen during a separate, earlier supply chain incident. Using that stolen token, the attacker pushed an orphan commit, referenced as 558b09d7, to the nrwl/nx repository at 03:18 UTC. Storm-2949 attack (Source – Microsoft) This commit had no parent commits and was completely unreachable from any branch, making it invisible to anyone who did not already know the exact SHA. The orphan commit replaced the entire Nx monorepo with just two files: a package.json and a heavily obfuscated index.js payload. At 12:36 UTC, the attacker then used stolen VS Code Marketplace publishing credentials to release the poisoned extension, which was configured to silently fetch and execute that hidden payload the moment a developer opened any workspace, all without showing any visible sign of unusual activity. Credential Theft and Persistent Backdoor The payload ran six specialized collector classes simultaneously, each built to harvest a different category of secrets. On Linux systems, it also probed for passwordless sudo access, and if successful, injected a sudoers rule to establish persistent root-level access on the affected host. On macOS, the payload installed a Python-based backdoor at ~/.local/share/kitty/cat.py, registered as a LaunchAgent to run automatically every hour. This backdoor used the GitHub Search API as a covert command-and-control channel, polling for attacker-signed instructions every sixty minutes, an approach that blends in naturally with normal developer traffic and is unlikely to trigger alerts from corporate firewalls or endpoint detection tools. Anyone who had Nx Console installed with auto-update enabled and opened a workspace between 12:36 and 12:47 UTC on May 18 should treat their machine as fully compromised. StepSecurity recommends updating immediately to version 18.100.0 or later, removing all persistence artifacts, killing orphaned background processes, and rotating every credential reachable from the affected machine, including GitHub tokens, npm tokens, SSH keys, AWS credentials, and any secrets that were held in process memory at the time of compromise. Indicators of Compromise (IoCs) Type Indicator Description SHA-256 Hash 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 Malicious VSIX file (v18.95.0)  SHA-256 Hash b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 Malicious main.js inside the VSIX  SHA-256 Hash e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 Obfuscated payload index.js from orphan commit  SHA-256 Hash 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 Dropper package.json from orphan commit  SHA-256 Hash 228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3 Clean VSIX (v18.94.0) for reference comparison  SHA-256 Hash cb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990 Remediated VSIX (v18.100.0)  Git SHA 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 Malicious orphan commit in nrwl/nx  Git SHA ba642fe2c7c65e42dd7f6444b83023dc6827e08c Commit tree of orphan commit  Git SHA acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf index.js blob SHA  Git SHA 9d88f040c44b5f4d5f9db15ff89310776c168e99 package.json blob SHA  URL api.github.com/search/commits?q=firedalazer Python C2 backdoor dead-drop polling endpoint  IP Address 169.254.169.254 AWS IMDS endpoint queried for credential theft  IP Address 169.254.170.2 ECS container metadata endpoint targeted  IP Address 127.0.0.1:8200 HashiCorp Vault local endpoint targeted  Domain fulcio.sigstore.dev Used for Sigstore attestation forgery  Domain rekor.sigstore.dev Used for Sigstore transparency log entries  Domain bun.sh/install Bun runtime installation for payload execution  File Path ~/.local/share/kitty/cat.py Python C2 backdoor dropped on macOS/Linux  File Path ~/Library/LaunchAgents/com.user.kitty-monitor.plist macOS LaunchAgent for hourly persistence  File Path /var/tmp/.gh_update_state C2 anti-replay state file  File Path /tmp/kitty-* Temporary staging directories used by payload  Extension Version nrwl.angular-console@18.95.0 Compromised VS Code extension version  Environment Variable __DAEMONIZED=1 Set on daemonized malicious background process  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers Hackers Hijack Microsoft Teams Users Account to Deliver ModeloRAT TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks Latest News Cyber Security News Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild Cyber Security News Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE Cyber Security News Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable Cyber Attack News Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets Cyber Security News CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗