1 comment

[ 3.7 ms ] story [ 10.1 ms ] thread
Ouch: critical supply chain attack in one of the most popular VS Code Extensions (2.2M installs)

I was bitten by this today - the payload dropped a Python C2 backdoor and LaunchAgent. (fortunately, it failed to run due to failed dependencies...)

Incidentally, my local install was almost 2 hours after the maintainers claim they pulled it from the marketplace so the real-world exposure window appears to have been substantially longer than 11 minutes.

`2026-05-18 16:34:11.092 [info] Extracted extension to .../nrwl.angular-console-18.95.0`