Summary
CVE-2026-48027 is a critical supply chain security incident affecting Nx Console version 18.95.0. A malicious build of the extension was briefly published to the Visual Studio Marketplace and OpenVSX on May 19, 2026, before being removed. The compromised release contained embedded malicious code capable of collecting credentials, tokens, and other sensitive information from developer systems and transmitting the data externally. The issue is limited to version 18.95.0, while version 18.100.0 and later releases are not affected.
Due to confirmed exploitation in the wild and the potential exposure of development environments, organizations should take immediate remediation measures.
Urgent Actions Required
- Upgrade Nx Console to version 18.100.0 or later immediately.
- Remove any installation of the compromised version 18.95.0.
- Review the vendor's indicators of compromise (IOCs) to determine whether affected systems installed the malicious release during the exposure window.
- Terminate any identified malicious processes and remove associated persistence artifacts.
- Rotate credentials, access tokens, secrets, and SSH keys that may have been exposed.
- Review source code repositories, development assets, and build artifacts for signs of unauthorized access, modification, or data exfiltration.
Which Systems Are Vulnerable to CVE-2026-48027?
Technical Overview
- Vulnerability Type: Embedded Malicious Code (CWE-506)
- Affected Software/Versions:
- Nx Console version 18.95.0
- CVSS Vector: v3.1
- Attack Vector: Network (WebSocket)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
How Does the CVE-2026-48027 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-48027?
Vulnerability Root Cause:
CVE-2026-48027 originated from a compromised release of the Nx Console extension. A malicious version, 18.95.0, was published to official extension marketplaces and contained embedded malicious code. When installed and activated, the compromised extension could collect credentials, tokens, and other sensitive information from affected developer systems.
The issue is classified as CWE-506: Embedded Malicious Code, reflecting the inclusion of unauthorized functionality within a trusted software component.
How Can You Mitigate CVE-2026-48027?
If immediate patching is delayed or not possible:
- Identify and remove Nx Console version 18.95.0 from affected systems.
- Review vendor-provided indicators of compromise (IOCs) to determine whether the malicious release was installed.
- Check systems for known persistence artifacts and suspicious processes associated with the compromise.
- Rotate credentials, tokens, secrets, and SSH keys that may have been accessible from affected machines.
- Inspect source code repositories, development assets, and build outputs for signs of unauthorized access or data exposure.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Nx Console Installations - Systems running the compromised Nx Console version 18.95.0.
- Developer Workstations - Machines where the affected extension was installed and activated.
- Development Environments - Local environments used for software development with Nx Console.
- Business-Critical Systems at Risk:
- Source Code Repositories - Credentials harvested from affected systems could expose repository access.
- Cloud and Development Resources - Tokens and secrets accessible from compromised machines may be exposed.
- Build Assets - Development artifacts and related resources may require review for unauthorized access or tampering.
- Exposure Level:
- Systems Running Nx Console 18.95.0 - Organizations that installed the compromised release during the exposure window are at risk.
- Developer Machines with Accessible Credentials or Secrets - Systems containing tokens, keys, or other sensitive information may be impacted.
Will Patching CVE-2026-48027 Cause Downtime?
Patch application impact: Low. Upgrade Nx Console to version 18.100.0 or later and remove version 18.95.0. Review affected systems for indicators of compromise.
Mitigation (if immediate patching is not possible): Remove version 18.95.0, check for indicators of compromise, delete persistence artifacts, and rotate exposed credentials and secrets.
How Can You Detect CVE-2026-48027 Exploitation?
Indicators of Compromise (IOCs/IOAs):
- Installation of Nx Console version 18.95.0 during the exposure window.
- Presence of files such as cat.py, .gh_update_state, bun.exe, or kitty-* artifacts.
- Running processes associated with cat.py or the __DAEMONIZED=1 environment variable.
Behavioral Indicators:
- Unexpected credential or token access from developer systems.
- Unauthorized collection or transmission of sensitive data from affected machines.
Remediation & Response
- Incident Response Considerations:
- Upgrade Nx Console to version 18.100.0 or later.
- Remove any installation of version 18.95.0.
- Review vendor-provided indicators of compromise (IOCs).
- Remove identified persistence artifacts and stop associated processes.
- Rotate potentially exposed credentials, tokens, secrets, and SSH keys.
- Review source code repositories, development assets, and build artifacts for unauthorized access or data exposure.
See More. Detect Faster. Respond Smarter with Fidelis NDR
-
-
- Full visibility across network traffic and encrypted communications
- Automated threat detection, hunting, and malware analysis
- Integrated DLP, forensics, sandboxing, and threat intelligence
-
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical vulnerability with significant impact on affected systems. |
| Attack Vector | Network | The compromised extension was distributed through online extension marketplaces. |
| Attack Complexity | Low | Exploitation does not require complex conditions. |
| Privileges Required | None | No privileges are required to obtain the compromised extension. |
| User Interaction | None | CVSS scoring assigns no user interaction requirement. |
| Scope | Unchanged | Impact remains within the affected component. |
| Confidentiality Impact | High | Sensitive credentials, tokens, and secrets may be exposed. |
| Integrity Impact | High | Malicious code can affect the integrity of the development environment. |
| Availability Impact | High | The compromised extension can adversely affect systems. |
References:
