Skip to main content

Nx Console EUVDEUVD-2026-32550

| CVE-2026-48027 CRITICAL
Embedded Malicious Code (CWE-506)
2026-05-27 security-advisories@github.com
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 19:51 vuln.today
Added to CISA KEV
May 27, 2026 - 19:46 CISA
CVE Published
May 27, 2026 - 17:16 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

AnalysisAI

Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.

Technical ContextAI

This is a software supply-chain compromise rather than a code-level bug, which is why it is classified under CWE-506 (Embedded Malicious Code) instead of a memory-safety or injection weakness. Nx Console is an IDE extension distributed as a marketplace package (VS Code's Visual Studio Marketplace and the vendor-neutral OpenVSX registry), so a single tampered publish propagates automatically to every developer whose editor pulls updates. Because IDE extensions run with the developer's privileges and have access to the workspace, environment variables, shell, and any cached credentials or tokens, malicious extension code can read and exfiltrate secrets directly. The EUVD record (EUVD-2026-32550) pins the malicious artifact precisely to nx-console = 18.95.0; no broader CPE range is provided because only the single compromised build is affected.

RemediationAI

Vendor-released patch: 18.100.0 - upgrade Nx Console to 18.100.0, which the vendor confirms is not compromised, and verify the installed version in both VS Code and any OpenVSX-based editor (e.g., Cursor, VSCodium). Because the malicious build executed in the developer's context, anyone who ran 18.95.0 during the publish windows should treat it as a credential-exposure incident: rotate IDE/Git/cloud tokens, package-registry tokens, and SSH keys, and hunt against the indicators of compromise published at https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise and the StepSecurity analysis at https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised. Review the advisory at https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w and the tracking issue at https://github.com/nrwl/nx-console/issues/3139. As a forward-looking control, disable automatic extension updates and pin extension versions so a future poisoned publish cannot auto-install, accepting the trade-off that you must then manually apply legitimate updates; the artifact is also catalogued in CISA KEV at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027.

Share

EUVD-2026-32550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy