Nx Console supply chain attack actively exploited (CVE-2026-48027)

Actively exploited in the wild - CVE-2026-48027 is a critical supply-chain compromise in Nx Console version 18.95.0 that can grant attackers remote code execution on developer machines. The malicious version was live in VS Marketplace for 18 minutes and on OpenVSX for 36 minutes; upgrade to 18.100.0 immediately.

Overview

On 19 May 2026, attackers published a malicious version of Nx Console v18.95.0 (the UI extension for Nx and Lerna monorepo tools) to both the Visual Studio Marketplace and OpenVSX. The tampered extension executed arbitrary code on any machine where a developer installed or updated to this version. The VS Marketplace listing was live from 12:30 PM to 12:48 PM UTC (18 minutes); the OpenVSX listing remained available from 12:33 PM to 1:09 PM UTC (36 minutes) before removal.

Because the vulnerability requires no user interaction, no privileges, and is exploitable over the network, it earned a CVSS 9.8 - critical. Any developer who installed Nx Console during the window may have compromised their local environment, including access to source code, credentials, SSH keys, and CI/CD pipelines.

What Attackers Can Do

Once installed, the malicious extension could:

• Execute arbitrary commands on the developer’s workstation
• Exfiltrate environment variables, tokens, and private keys
• Modify project source code or install backdoors into builds
• Propagate from developer endpoints into production deployment pipelines

Affected Versions

• Compromised version: Nx Console 18.95.0
• Safe version: Nx Console 18.100.0 (and later)
• Not affected: All versions prior to 18.95.0 and versions 18.100.0+

All developers who use the Nx Console extension should check their installed version immediately. Version 18.95.0 must never be run.

Remediation

1. Immediate: Upgrade to Nx Console 18.100.0 or later from the official VS Marketplace or OpenVSX.
2. Verify: Confirm the installed version is not 18.95.0 by checking Extensions > Nx Console in VS Code or your editor.
3. Investigate: Any machine that ran 18.95.0 should be treated as compromised - rotate all stored credentials, review recent git commits for unexpected changes, audit build logs.
4. Monitor: Check for signs of lateral movement from affected developer workstations into connected systems.

Security Insight

This incident demonstrates a new frontier in software supply-chain attacks: compromising developer tool extensions rather than libraries or packages. Unlike a compromised npm package that might execute during npm install, a malicious VS Code extension runs persistently with the full trust of the IDE, granting attackers long-term access to the development environment. The 18-minute exposure window on VS Marketplace underscores how quickly supply-chain threats can propagate in a trusted ecosystem - and why version pinning and integrity verification for developer tooling are becoming non-negotiable security controls. For the latest cybersecurity developments, see security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs