6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-48027 is a critical supply chain vulnerability affecting the Nx Console VS Code extension, where a malicious version (18.95.0) was distributed via official marketplaces and is actively exploited. Organizations should immediately remove the compromised version, upgrade to 18.100.0 or later, and investigate affected systems for credential exposure or malicious activity.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Nx Console Embedded Malicious Code Vulnerability
Identifier: CVE-2026-48027
PoC or Exploitation: This vulnerability is actively exploited in the wild. CISA has added CVE-2026-48027 to the Known Exploited Vulnerabilities (KEV) catalog.
CVSS Score: 9.8 (Critical, CVSS v3.1)
Update / Patch:
Affected versions include:
Nx Console 18.95.0
Affected marketplace publication windows:
Visual Studio Marketplace:
May 19, 2026 from approximately 12:30 UTC to 12:48 UTC
OpenVSX:
May 19, 2026 from approximately 12:33 UTC to 13:09 UTC
Safe and remediated versions include:
Nx Console 18.100.0 or later
Vendor advisory:
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
Description:
CVE-2026-48027 is an embedded malicious code vulnerability affecting Nx Console for Visual Studio Code.
This vulnerability is associated with a supply-chain compromise involving a malicious extension release distributed through legitimate extension marketplaces.
Mitigation Recommendation:
Immediately uninstall Nx Console version 18.95.0 from affected Visual Studio Code environments.
Upgrade to Nx Console version 18.100.0 or later obtained from verified official sources.
Identify developer workstations and environments that installed or updated Nx Console during the affected publication windows.
Investigate affected systems for indicators of compromise, suspicious persistence mechanisms, unauthorized processes, unusual extension activity, abnormal outbound network connections, and unauthorized credential access attempts.
Review development environments for suspicious modifications to repositories, configuration files, credentials, and local development tooling.
Rotate potentially exposed credentials or tokens used on systems where the compromised extension was executed.
Validate Visual Studio Code extension inventories and enforce extension allowlisting where operationally feasible.
