CVE-2026-48027
Published May 27, 2026
Last updated 2 days ago
AI description
CVE-2026-48027 identifies a supply-chain compromise involving a malicious version of the Nx Console Visual Studio Code extension, specifically version 18.95.0. This compromised extension was published to the Visual Studio Marketplace and Open VSX on May 18, 2026, after an attacker gained unauthorized access to a legitimate Nx developer's GitHub credentials, likely through a broader supply-chain attack affecting TanStack npm packages. The malicious Nx Console extension contained an obfuscated payload designed to harvest a wide array of sensitive credentials from affected developer machines. These included GitHub tokens, npm authentication tokens, AWS credentials, Vault tokens, Kubernetes and AWS IAM authentication details, 1Password CLI session data, SSH private keys, and Google Cloud and Docker credentials. The incident led to the exfiltration of approximately 3,800 of GitHub's internal repositories and impacted other organizations such as OpenAI, Grafana Labs, and Mistral AI.
- Description
- Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- nx_console
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Nx Console Embedded Malicious Code Vulnerability
- Exploit added on
- May 27, 2026
- Exploit action due
- Jun 10, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-506
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
⚠️ CVE-2026-48027: Nx Console v18.95.0 was a supply chain attack. A malicious build fetched obfuscated payloads to harvest data. CVSS 9.3, KEV-listed, actively exploited. Remove it now. https://t.co/8mRTNFSt15 https://t.co/WpMy7Y2oPC
@SecAlertsCo
28 May 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Three CVEs have been added to the list of known exploits; CVE-2026-45321 (TanStack), CVE-2026-48027 (Nx Console) and CVE-2026-8398 (DAEMON Tools Lite). The trio has been linked to an attack campaign named "Mini Shai-Hulud" and has been attributed to cybercriminal group 'TeamPCP'.
@Leila97726926
28 May 2026
77 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: #CISA added new vulnerabilities to its KEV list: CVE-2026-48027 in #Nx Console, CVE-2026-8398 in #Daemon Tools Lite and CVE-2026-45321 in #Tanstack. Make sure you are running the non-malicious version of the packages to avoid a supply chain attack. #Patch #Patch #Patch
@CCBalert
28 May 2026
212 Impressions
2 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CISAが既知の悪用された脆弱性3件をカタログに追加 CISA Adds Three Known Exploited Vulnerabilities to Catalog #CISA (May 27) CVE-2026-8398 Daemon Tools Lite Embedded の悪意のあるコードの脆弱性 CVE-2026-45321 TanStackの特定されていない
@foxbook
28 May 2026
228 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【サプライチェーン攻撃】米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログに3件の脆弱性を追加。Daemon Tools LiteのCVE-2026-8398、TanStackのCVE-2026-45321、Nx ConsoleのCVE-2026-48027
@__kokumoto
27 May 2026
1587 Impressions
2 Retweets
4 Likes
2 Bookmarks
1 Reply
0 Quotes
🚨 CVE-2026-48027 — CVSS 9.8/10 ██████████ Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/jbJNZQ88lG
@OrizonCyber
27 May 2026
102 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability CVE-2026-45321 TanStack Unspecified Vulnerability CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability
@zerotalktoai
27 May 2026
86 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added Daemon Tools Lite embedded malicious code vulnerability CVE-2026-8398, TanStack vulnerability CVE-2026-45321 & Nx Console vulnerability CVE-2026-48027 to our KEV Catalog. Visit https://t.co/myxOwap1Tf for more information. #Cybersecurity #InfoSec https://t.c
@CISACyber
27 May 2026
5842 Impressions
16 Retweets
47 Likes
5 Bookmarks
3 Replies
1 Quote
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nx:nx_console:18.95.0:*:*:*:*:visual_studio_code:*:*",
"matchCriteriaId": "A748F70F-02F7-4793-89AE-7666A2D213F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]