Nx Console CVE-2026-48027 has moved from a short-lived marketplace compromise to an urgent response item: CISA added the issue to its Known Exploited Vulnerabilities catalog on May 27, 2026, with a June 10 remediation deadline for covered agencies.[1] The bug is not a normal editor crash or package typo. It tracks a poisoned Nx Console extension, version 18.95.0, that was briefly published through the Visual Studio Marketplace and OpenVSX and then used to pull a credential-stealing payload onto developer machines.[2]
Nx says the malicious Visual Studio Marketplace build was available from 12:30 to 12:48 UTC on May 18, while the OpenVSX exposure ran from 12:33 to 13:09 UTC.[2] Those windows sound small, but IDE extensions run exactly where high-value secrets tend to live: SSH keys, npm tokens, GitHub tokens, cloud credentials, Vault tokens, Kubernetes access material, and local configuration for developer tooling. NVD published CVE-2026-48027 on May 27 and rates it critical with CVSS 9.8, mapping it to CWE-506 for embedded malicious code.[3]
The official advisory says the compromised extension fetched an obfuscated payload that targeted credentials from disk and memory, including Vault, npm, AWS, GitHub, 1Password, and filesystem secrets.[2] StepSecurity’s reverse engineering adds that the payload also looked for Claude Code configuration, attempted multi-channel exfiltration, and used a background task so the attack would not be obvious inside the editor.[4] For readers who followed the recent Mini Shai-Hulud npm/PyPI campaign, this is the same broader pattern: steal a developer identity first, then use trusted distribution paths to reach more machines.
What Nx Console users should check now
First, confirm whether any developer workstation, CI desktop image, remote dev box, or VS Code-compatible editor installed Nx Console 18.95.0 during the May 18 exposure window. Nx says version 18.100.0 is the remediated release users should be on now.[2] Do not treat a later extension update as enough if the old build may have already run; the concern is post-compromise cleanup, not just removing the bad package.
The quick triage list is concrete. Look for suspicious persistence files such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*, and the Windows equivalents listed by Nx. Also check for a Python process running cat.py or any process carrying __DAEMONIZED=1 in its environment.[2]
If those signs appear, assume credentials reachable from that machine may be exposed. Kill the suspicious processes, remove the persistence artifacts, then rotate tokens and keys rather than merely deleting the extension. Prioritize GitHub and npm publishing credentials, cloud access keys, Vault tokens, SSH keys, CI/CD secrets, and any 1Password or local secret-store sessions that were active. This is also a good moment to compare repository and package-registry logs for unexpected releases, workflow runs, secret reads, or new tokens.
The practical lesson is bigger than one extension. IDE marketplaces and package registries are now part of the same developer supply-chain attack surface as npm and PyPI, which howtofix.guide has already seen in the ZiChatBot PyPI incident and older UA-Parser-JS npm compromise. Teams that allow automatic extension updates should keep inventory, alert on newly installed editor extensions, and make credential rotation playbooks fast enough for the next 18-minute window.
References
- CISA. Known Exploited Vulnerabilities Catalog: CVE-2026-48027. Added May 27, 2026.
- Nx / GitHub Security Advisory. Compromised Nx Console version 18.95.0. Published May 18, 2026; updated May 22, 2026.
- NVD. CVE-2026-48027 detail page. Published May 27, 2026.
- StepSecurity. Nx Console VS Code Extension Compromised. Published May 18, 2026.
Leave a Comment