What is Nx Console?
Nx Console is the official VS Code extension for Nx, a widely-used monorepo build system and developer tooling framework from Nrwl. With over 2.2 million installs, Nx Console provides GUI-based task runners, code generators, and project graph visualization for TypeScript monorepos. It is a core part of many enterprise development workflows at organizations including OpenAI, Grafana Labs, and Mistral AI.
Overview
CVE-2026-48027 is a supply-chain attack in which a malicious version of the Nx Console VS Code extension (18.95.0) was published to both the VS Code Marketplace and OpenVSX on May 18, 2026. The compromised extension fetched a 498 KB obfuscated JavaScript payload from an orphan commit (558b09d7) in the official nrwl/nx repository — a commit with no branch parent, invisible to standard repository browsing. Upon workspace open, the payload ran silently within seconds and harvested credentials from a broad range of sources. CISA confirmed active exploitation and added the CVE to the KEV catalog on May 27, 2026, with a deadline of June 10, 2026.
The attack was enabled by the prior TanStack supply-chain compromise (CVE-2026-45321), in which a contributor's GitHub credentials were stolen. Those credentials were used to push the orphan payload commit and publish the malicious extension under the legitimate nrwl publisher identity.
Affected Versions
| Component | Malicious Version | Status |
|---|---|---|
| Nx Console (VS Code Marketplace) | 18.95.0 | Pulled after ~11 minutes |
| Nx Console (OpenVSX) | 18.95.0 | Pulled after ~36 minutes |
| Nx Console ≤ 18.94.x | Not affected | — |
| Nx Console ≥ 18.100.0 | Not affected (clean) | Recommended update |
Technical Details
The attack exploited VS Code's auto-update mechanism to silently push the malicious update to a fraction of the 2.2M+ install base during the exposure window.
The malicious payload (fetched from orphan commit 558b09d7) harvested credentials from multiple sources:
- GitHub tokens matching prefixes
ghp_,gho_,ghs_ - npm auth tokens from
.npmrc - AWS credentials (IMDS endpoint and
~/.aws/credentials) - GCP metadata service
- Kubernetes service-account tokens
- HashiCorp Vault token files
- 1Password CLI vault data
- SSH private keys
- Docker credential stores
- Process memory (regex scan on Linux via
/proc/*/mem) - Claude Code configuration (
~/.claude/settings.json)
Exfiltration used three simultaneous channels: HTTPS POST to a C2 server, the GitHub API (using the victim's own stolen tokens to push data to attacker-controlled repositories), and DNS tunneling. On macOS, the payload also installed a Python backdoor at ~/.local/share/kitty/cat.py that polled the GitHub Search API for RSA-PSS-signed commands.
Stolen npm OIDC tokens were used with Sigstore/Fulcio to publish downstream packages with valid SLSA provenance, making the downstream packages appear legitimately signed.
Discovery
The compromise was detected within 11 minutes by Nx maintainer jaysoo, who noticed an unexpected upload notification and immediately unpublished the extension. StepSecurity subsequently published a detailed IOC analysis tracing the root cause to the TanStack credential theft.
Exploitation Context
CISA confirmed active exploitation. Credentials harvested via the malicious extension were used to breach approximately 3,800 GitHub internal repositories and compromise developer machines at OpenAI, Grafana Labs, and Mistral AI. The attack chain originated with the TanStack Mini Shai-Hulud worm campaign (CVE-2026-45321), attributed to the threat actor group TeamPCP.
Remediation
- Update Nx Console to version 18.100.0 or later — the first clean release following the incident.
- Rotate all credentials if Nx Console 18.95.0 was installed at any point on May 18, 2026:
- GitHub personal access tokens and OAuth tokens
- npm authentication tokens
- AWS access keys and GCP service account keys
- Kubernetes service-account tokens
- SSH private keys and HashiCorp Vault tokens
- 1Password CLI credentials and Docker credentials
- Check for the macOS backdoor:
ls ~/.local/share/kitty/cat.py— remove if present. - Audit GitHub repository access logs for unexpected pushes or API calls originating from your tokens during May 18, 2026.
- Review VS Code auto-update settings — consider disabling automatic extension updates and pinning extension versions in managed environments.
- For federal agencies: apply mitigations per CISA Alert AA26-148A before June 10, 2026.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-48027 |
| Vendor / Product | Nx — Nx Console |
| NVD Published | 2026-05-27 |
| NVD Last Modified | 2026-05-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-506 find similar ↗ |
| CISA KEV Added | 2026-05-27 |
| CISA KEV Deadline | 2026-06-10 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-05-11 | TanStack supply-chain compromise (CVE-2026-45321) leaks Nx contributor GitHub credentials |
| 2026-05-18 | Malicious Nx Console 18.95.0 uploaded to VS Code Marketplace at 12:30 UTC; maintainer notified at 12:36 UTC |
| 2026-05-18 | Malicious version unpublished from VS Code Marketplace (~11 min window); removed from OpenVSX at 13:09 UTC (~36 min window) |
| 2026-05-27 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-06-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-48027 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| GitHub Security Advisory GHSA-c9j4-9m59-847w | Vendor Advisory |
| Nx Console v18.95.0 Postmortem — Nx Blog | Vendor Advisory |
| Nx Console VS Code Extension Compromised — StepSecurity IOC Analysis | Security Research |
| CISA Alert AA26-148A — Supply-Chain Compromises Impact Nx Console | US Government |
| Compromised Nx Console 18.95.0 Targeted Developer Credentials — The Hacker News | News Article |
| CISA Adds Daemon Tools, TanStack, and Nx Console Flaws to KEV — Security Affairs | News Article |