Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
AnalysisAI
Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.
Technical ContextAI
This is a software supply-chain compromise rather than a code-level bug, which is why it is classified under CWE-506 (Embedded Malicious Code) instead of a memory-safety or injection weakness. Nx Console is an IDE extension distributed as a marketplace package (VS Code's Visual Studio Marketplace and the vendor-neutral OpenVSX registry), so a single tampered publish propagates automatically to every developer whose editor pulls updates. Because IDE extensions run with the developer's privileges and have access to the workspace, environment variables, shell, and any cached credentials or tokens, malicious extension code can read and exfiltrate secrets directly. The EUVD record (EUVD-2026-32550) pins the malicious artifact precisely to nx-console = 18.95.0; no broader CPE range is provided because only the single compromised build is affected.
RemediationAI
Vendor-released patch: 18.100.0 - upgrade Nx Console to 18.100.0, which the vendor confirms is not compromised, and verify the installed version in both VS Code and any OpenVSX-based editor (e.g., Cursor, VSCodium). Because the malicious build executed in the developer's context, anyone who ran 18.95.0 during the publish windows should treat it as a credential-exposure incident: rotate IDE/Git/cloud tokens, package-registry tokens, and SSH keys, and hunt against the indicators of compromise published at https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise and the StepSecurity analysis at https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised. Review the advisory at https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w and the tracking issue at https://github.com/nrwl/nx-console/issues/3139. As a forward-looking control, disable automatic extension updates and pin extension versions so a future poisoned publish cannot auto-install, accepting the trade-off that you must then manually apply legitimate updates; the artifact is also catalogued in CISA KEV at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027.
Same weakness CWE-506 – Embedded Malicious Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32550