CISA Known Exploited Vulnerability (KEV): This vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog on 2026-05-27 with a required action date of 2026-06-10. It is actively exploited in the wild. CISA notes known ransomware campaign use.

CVE ID: CVE-2026-48027
Vendor: Nx (Nrwl) Product: Nx Console (VS Code Extension)
CVSS v3.1: 9.8 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0: 9.3 (CRITICAL)
CWE: CWE-506 (Embedded Malicious Code)

What Is the Vulnerability

A malicious version of the Nx Console VS Code extension (version 18.95.0) was published to the Visual Studio Marketplace and OpenVSX registry on 19 May 2026. The compromised extension contained obfuscated malicious code that harvested credentials from multiple sources on disk and in memory. The malicious version was available for approximately:

• Visual Studio Marketplace: ~18 minutes (12:30 PM – 12:48 PM UTC)
• OpenVSX: ~36 minutes (12:33 PM – 1:09 PM UTC)

The malicious code fetched an obfuscated payload from an external server and exfiltrated sensitive data including IDE credentials, git credentials, and other secrets stored on the developer’s machine.

Versions Affected

• Nx Console v18.95.0 (VS Code extension) — ONLY this specific version

Versions prior to 18.95.0 and version 18.100.0 and later are not affected.

Exploited?

YES — Actively Exploited in the Wild. This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2026-05-27). CISA reports active exploitation and known ransomware campaign use. The required action deadline for federal agencies is 2026-06-10 per BOD 22-01. The malicious extension was live in public marketplaces and downloaded by developers during the ~18–36 minute window. Any developer who installed v18.95.0 during that window should assume compromise.

Fix

Upgrade to Nx Console v18.100.0 or later immediately.

The fixed version (18.100.0) was published after the malicious version was removed. Users should:

• Update the Nx Console extension in VS Code to v18.100.0+
• If using OpenVSX, ensure you have the clean version

Recommendations

• Immediate: Update Nx Console to v18.100.0 or later.
• Credential Rotation (Critical): If you installed v18.95.0 during the exposure window (2026-05-19 ~12:30–13:09 UTC), rotate ALL credentials that may have been accessible to the IDE: Git credentials, cloud provider tokens, SSH keys, API keys, database passwords, and any secrets stored in VS Code or system credential managers.
• System Scan: Run malware/endpoint scans on affected machines. Check for unusual outbound connections.
• Indicators of Compromise: Review the Nx Console v18.95.0 Postmortem — Indicators of Compromise for specific IOCs (domains, IPs, file hashes).
• Supply Chain Review: Audit CI/CD pipelines and build systems that may have used the compromised extension.
• Federal agencies (BOD 22-01): Action deadline is 2026-06-10. Remediate or discontinue use.

References

• GitHub Security Advisory GHSA-c9j4-9m59-847w (Vendor Advisory, Mitigation)
• GitHub Issue #3139: Nx Console v18.95.0 Compromise (Issue Tracking)
• Nx Console v18.95.0 Postmortem & Indicators of Compromise (Vendor Advisory)
• StepSecurity Analysis: Nx Console VS Code Extension Compromised (Third Party Advisory, Exploit Details)
• CISA Known Exploited Vulnerabilities Catalog Entry (US Government Resource)
• NVD Entry for CVE-2026-48027

This post is part of the Vulnerability Intelligence series on threat-modeling.com. KEV status is indicated in the title, opening paragraph, and this callout per editorial policy.