How is CVE-2026-48027 exploited?

Network reachability (required): The malicious extension is distributed over the network via the Visual Studio Marketplace and OpenVSX, so an attacker's payload reaches victims through standard internet package delivery. Authentication (not-required): No account or credentials are required; any developer who fetches the extension during the exposure window receives the compromised package. Victim interaction (not-required): No explicit victim action beyond a normal install or auto-update is needed; the extension manager handles the fetch transparently. Attack complexity (info): Exploitation is reliable and condition-free once the package is served; no race condition or special environment configuration is required on the attacker's side.

What is the impact of CVE-2026-48027?

Reads secrets, tokens, and source files accessible to the developer's IDE process. Writes or modifies files on the developer's workstation, including project source code and configuration. Can crash or degrade the developer's local environment and any build tooling driven by Nx Console. Provides a foothold on the developer's machine that can be used to pivot into connected CI systems or cloud credentials stored locally.

Back to search

CRITICALCVE-2026-48027Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-48027: Compromised Nx Console version 18.95.0

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a supply-chain compromise affecting Nx Console version 18.95.0, a Visual Studio Code extension for Nx and Lerna. The malicious package was published to the Visual Studio Marketplace and OpenVSX on 19 May 2026 and was reachable over the network by any unauthenticated user who installed or auto-updated the extension during an 18-36 minute window. Successful exploitation gives an attacker full read, write, and denial-of-service capability over affected systems. No patched image rebuild is available yet because no official fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-48027 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the compromised Nx Console 18.95.0 extension. Any image layer containing the affected package version is flagged immediately on the next scan cycle.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and surfaces it at the top of the findings queue. Per-environment compliance policy weighting and team-routing rules are applied so the alert reaches the right inbox inside each customer organization without manual filtering.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an official clean version is confirmed upstream. In the interim, customers can use HarborGuard policy controls to flag or block any image containing Nx Console 18.95.0 from progressing through the pipeline.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The malicious extension is distributed over the network via the Visual Studio Marketplace and OpenVSX, so an attacker's payload reaches victims through standard internet package delivery.
AuthenticationNot required
No account or credentials are required; any developer who fetches the extension during the exposure window receives the compromised package.
Victim interactionNot required
No explicit victim action beyond a normal install or auto-update is needed; the extension manager handles the fetch transparently.
Attack complexityDetail
Exploitation is reliable and condition-free once the package is served; no race condition or special environment configuration is required on the attacker's side.

Blast Radius

Reads secrets, tokens, and source files accessible to the developer's IDE process.
Writes or modifies files on the developer's workstation, including project source code and configuration.
Can crash or degrade the developer's local environment and any build tooling driven by Nx Console.
Provides a foothold on the developer's machine that can be used to pivot into connected CI systems or cloud credentials stored locally.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-48027 is active and any image containing Nx Console 18.95.0 is surfaced as a CRITICAL finding. Because no official upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as a clean version is confirmed. In the meantime, customers are advised to enforce a policy rule blocking promotion of any image that includes Nx Console 18.95.0, apply network-policy isolation to development workloads that may carry the compromised extension, and audit pull timestamps against the known exposure windows (12:30-12:48 UTC on Visual Studio Marketplace; 12:33-13:09 UTC on OpenVSX) to identify which developer machines or build containers may have fetched the package. For customers who opt into auto-remediation, a rebuild and pull-request flow against affected workloads will trigger automatically once an upstream fix is published.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

nrwl / nx-console
= 18.95.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References