CVE-2026-48027
Confirmed PUBLISHEDCompromised Nx Console version 18.95.0
6 days faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
- CVE Published
- May 27, 2026
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 9.3 Critical
- EPSS
- 1.8%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| nrwl |
nx-console
|
= 18.95.0 |
Affected |
CVE References
- https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w github.com · CVE Record https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59...
- https://github.com/nrwl/nx-console/issues/3139 github.com · CVE Record https://github.com/nrwl/nx-console/issues/3139
- https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise nx.dev · CVE Record https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-comp...
- https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised stepsecurity.io · CVE Record https://www.stepsecurity.io/blog/nx-console-vs-code-extension-comprom...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| The Shadowserver First | 2026-05-27 18:00 UTC |
| CVE | 2026-06-01 10:28 UTC |
| CISA | 2026-06-02 14:00 UTC |
| All CISA Advisories | 2026-06-02 14:21 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 10:28:09 UTC · CVE
Used in malware
Recorded 2026-06-02 14:00:31 UTC · CVE
Weaknesses (CWE)
-
Embedded Malicious Code
Recent Mentions
All CISA Advisories · May 28, 2026
CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development (CI/CD) pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the “Megalodon” supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments—specifically CI/CD pipelines, code extensions and workflows. Threat actors leveraged a prior compromise of Nx developer systems to compromise a GitHub employee’s device through a poisoned third-party VS Code extension, resulting in unauthorized access and exfiltration of internal GitHub repositories. The malicious extension version (18.95.0) was distributed through VS Code’s automatic update mechanism, meaning systems with Nx Console previously installed may have received the malicious build without developers taking any manual installation action. GitHub released a security advisory on this activity, and CVE-2026-48027 has been assigned to the malicious version of Nx Console and added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Additionally, in a campaign known as “Megalodon,” a cyber threat actor injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens, impacting both development and deployment pipelines in public GitHub repositories. CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: Monitor and audit workflow files and contributor activity for suspicious pull requests and direct commits, particularly those authored by automated accounts. Revert unauthorized changes, especially from automated accounts, e.g., build-bot, auto-ci, ci-bot, pipeline-bot and especially those made after May 18, 2026. If your organization discovers a compromise resulting from...
All CISA Advisories · May 27, 2026
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability CVE-2026-45321 TanStack Unspecified Vulnerability CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:21 UTC about 2 months ago14:21 UTC · about 2 months ago
KEV confirmed by All CISA Advisories
Exploitation attested by an external source
-
14:00 UTC about 2 months ago14:00 UTC · about 2 months ago
First public exploitation report
Exploit observed in malware
-
14:00 UTC about 2 months ago14:00 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
10:28 UTC about 2 months ago10:28 UTC · about 2 months ago
KEV confirmed by CVE
Exploitation attested by an external source
-
18:00 UTC about 2 months ago18:00 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
15:50 UTC about 2 months ago15:50 UTC · about 2 months ago
CVE published
Vulnerability disclosed publicly
-
17:44 UTC about 2 months ago17:44 UTC · about 2 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-48027
{
"cve_id": "CVE-2026-48027",
"title": "Compromised Nx Console version 18.95.0",
"affected_vendor": "nrwl",
"affected_product": "nx-console",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.3,
"epss_score": 0.0185,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}