Malware in the Nx Console extension (CVE-2026-48027) — a supply-chain attack that steals developer credentials
A malicious version of "Nx Console," a popular IDE extension for the Nx build system, was published; it fetches an obfuscated payload and harvests credentials (tokens and keys) from disk and memory. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.8 Critical).
Key facts
- CVE IDCVE-2026-48027
- CVSS base score9.8 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)Nx Nx Console
- CWECWE-506
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-06-10 (U.S. federal civilian agencies, BOD 22-01)
Key points
- A tampered build of Nx Console (an IDE extension for the Nx build system) fetched and ran an obfuscated payload
- It stole credentials from disk and memory (GitHub/npm tokens, SSH keys, cloud credentials, etc.)
- Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 9.8 Critical)
- Response: update to a safe version / uninstall, and rotate every credential used on the machine
- Federal civilian remediation deadline was June 10, 2026 (a practical benchmark for others)
CVE-2026-48027 covers a case where a version of "Nx Console" — the IDE extension for Nx (a monorepo build/task runner) — was published with malicious code embedded. It was added to CISA's KEV (Known Exploited Vulnerabilities) catalog on May 27, 2026 and is classified as CWE-506 (embedded malicious code).
The attack flow: installing the tampered extension downloads and executes an obfuscated payload from an external source, then harvests every credential it can find on disk or in memory. The targets are the "keys" developers handle daily — GitHub and npm access tokens, SSH private keys, cloud (e.g. AWS) credentials. Once stolen, an attacker can impersonate a legitimate developer and reach source code, CI/CD, and production.
This class of attack is dangerous because (1) it abuses the trusted distribution channel of a tool developers rely on (an extension marketplace or npm), so it is hard to notice, and (2) compromising a single developer's machine can become a foothold that spreads across the whole organization. CISA has also confirmed exploitation in ransomware campaigns, so priority is high.
Key response: if you use Nx Console, check the vendor's official GitHub Security Advisory, identify affected versions, and update to a known-good version (or uninstall for now). Then revoke and reissue (rotate) every token, key, and password that may have been used on that machine, and review CI/CD and cloud access logs for suspicious use. U.S. federal civilian agencies were required to remediate by June 10, 2026 (a practical benchmark for others, too).
Why it matters
Any organization that uses Nx or monorepos in CI/CD can be affected. Beyond checking the extension version, the practical priorities are rotating credentials on the assumption of leakage and reviewing access logs. It is also a prompt to monitor the developer-tool supply chain as an attack surface.
FAQ
What is Nx Console?
How do I check whether I was affected?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).