CVE-2026-48027: Nx Console Information Disclosure Flaw

CVE-2026-48027 Overview

Nx Console is the user interface for Nx and Lerna monorepo build tools, distributed as a Visual Studio Code extension. A malicious version, 18.95.0, was published to Visual Studio Marketplace and OpenVSX on 19 May 2026. The compromised release was available for approximately 18 minutes on Visual Studio Marketplace and 36 minutes on OpenVSX before removal. The package contained embedded malicious code [CWE-506] that executed when developers installed or updated the extension. This incident has been added to the CISA Known Exploited Vulnerabilities Catalog, confirming active exploitation against developer workstations.

Critical Impact

Installation of Nx Console 18.95.0 exposes developer credentials, source code, and CI/CD secrets to attackers through a trojanized VS Code extension distributed via official marketplaces.

Affected Products

• Nx Console 18.95.0 for Visual Studio Code (Visual Studio Marketplace)
• Nx Console 18.95.0 distributed via OpenVSX Registry
• Developer workstations and CI environments that auto-updated the extension between 12:30 UTC and 13:09 UTC on 19 May 2026

Discovery Timeline

• 2026-05-19 - Malicious Nx Console 18.95.0 published at 12:30 UTC and removed at 12:48 UTC from Visual Studio Marketplace
• 2026-05-19 - Compromised version available on OpenVSX from 12:33 UTC to 13:09 UTC
• 2026-05-27 - CVE-2026-48027 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-48027

Vulnerability Analysis

The vulnerability is a supply chain compromise classified under embedded malicious code [CWE-506]. An attacker pushed a trojanized release of Nx Console to two extension marketplaces used by Visual Studio Code. Because VS Code extensions auto-update by default, developers running Nx Console received the malicious payload without manual interaction. The extension runs in the user context of the IDE, giving the embedded code access to workspace files, environment variables, and authentication tokens held in the local environment.

The attack abuses trust in the official distribution channel. Both Visual Studio Marketplace and OpenVSX serve as authoritative sources, and developers have no signing model to validate publisher integrity beyond marketplace controls. The narrow exposure window of 18 to 36 minutes limited but did not eliminate impact, because automatic updates can fetch a malicious version within seconds of publication.

Root Cause

The root cause is unauthorized publication of a malicious package version to the Nx Console distribution pipeline. The legitimate 18.95.0 release was replaced or supplemented with code intended to harvest secrets from the developer environment. Version 18.100.0 is a clean release that supersedes the compromised version.

Attack Vector

The attack vector is network-based supply chain delivery. Victims acquire the malicious code through normal extension installation or background update mechanisms. No user interaction beyond opening VS Code with the extension installed is required for the embedded payload to execute. See the Nx Console v18.95.0 Postmortem for indicators of compromise and the Step Security analysis for behavioral details.

Detection Methods for CVE-2026-48027

Indicators of Compromise

• Presence of Nx Console version 18.95.0 in installed VS Code extensions on any developer workstation
• Outbound network connections from Code.exe or code processes to attacker-controlled hosts listed in the GitHub Security Advisory GHSA-c9j4-9m59-847w
• Unexpected access to ~/.ssh, ~/.aws, ~/.npmrc, or environment files by VS Code extension host processes
• Extension installation logs showing acquisition of Nx Console between 12:30 and 13:09 UTC on 19 May 2026

Detection Strategies

• Query endpoint inventory for the exact version string 18.95.0 of the nrwl.angular-console or Nx Console extension across all managed developer machines
• Hunt process telemetry for VS Code extension host children spawning shells, network utilities, or credential-reading commands
• Correlate marketplace download events with the published exposure windows to identify exposed users

Monitoring Recommendations

• Alert on any VS Code extension host process reading sensitive credential files or accessing cloud metadata endpoints
• Monitor for new outbound destinations from developer workstations during and after the exposure window
• Track extension version drift to detect rapid downgrades or unexpected updates of build tooling

How to Mitigate CVE-2026-48027

Immediate Actions Required

• Upgrade Nx Console to version 18.100.0 or later on every developer workstation and CI runner
• Uninstall Nx Console entirely on any system that ran 18.95.0, then reinstall the clean release
• Rotate all credentials accessible from affected workstations, including SSH keys, npm tokens, cloud API keys, and Git access tokens
• Review CI/CD audit logs for unauthorized actions performed with potentially exposed tokens

Patch Information

The vendor published Nx Console 18.100.0 as the remediated version. Refer to the GitHub Security Advisory GHSA-c9j4-9m59-847w for the authoritative fix announcement and the Nx Console Postmortem for full remediation guidance. CISA has added CVE-2026-48027 to the Known Exploited Vulnerabilities Catalog.

Workarounds

• Disable automatic extension updates in VS Code until inventory confirms no exposure to 18.95.0
• Pin Nx Console to 18.100.0 or later through enterprise extension management policies
• Block outbound traffic from developer endpoints to indicators of compromise published in the vendor postmortem

# Verify installed Nx Console version and remove if compromised
code --list-extensions --show-versions | grep -i "nx-console\|angular-console"
code --uninstall-extension nrwl.angular-console
code --install-extension nrwl.angular-console@18.100.0