Description
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
Published: 2026-05-27
Score: 9.3 Critical
EPSS: n/a
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A maliciously altered version of the Nx Console extension (18.95.0) was published to the Visual Studio Marketplace and OpenVSX for a brief period, allowing an attacker to deliver executable code to anyone who installs the extension. The impact is the potential compromise of the user’s system and the integrity of the development environment, as the injected code can run with the same privileges as the user. This is an example of abuse of a trusted third‑party component and is classified under CWE‑506.

Affected Systems

The vulnerability affects the Nx Console extension from the vendor Nrwl, specifically version 18.95.0. All installations of this exact version are compromised, while the subsequent release, 18.100.0, is not affected.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the vulnerability is listed in the CISA KEV catalog, underscoring its awareness and potential exploitation. Although EPSS data is not available, the exposure via the public marketplace and the short yet significant availability window suggest that the risk of exploitation is significant, provided an installer acquires the malicious package. The likely attack vector is the supply chain – a malicious or compromised publisher adds a new package revision that is automatically approved and installed by users. Users who have inadvertently installed the compromised version are at immediate risk, while those who have not installed the extension are not affected.

Generated by OpenCVE AI on May 27, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nx Console to version 18.100.0 or later
  • Remove the compromised 18.95.0 extension from all VS Code instances
  • Verify installed extensions to ensure only approved Nrwl extensions are present

Generated by OpenCVE AI on May 27, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nx
Nx nx Console
CPEs cpe:2.3:a:nx:nx_console:18.95.0:*:*:*:*:visual_studio_code:*:*
Vendors & Products Nx
Nx nx Console
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-27T00:00:00+00:00', 'dueDate': '2026-06-10T00:00:00+00:00'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
Title Compromised Nx Console version 18.95.0
Weaknesses CWE-506
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nx Nx Console
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T19:58:23.888Z

Reserved: 2026-05-20T17:44:09.587Z

Link: CVE-2026-48027

cve-icon Vulnrichment

Updated: 2026-05-27T17:49:49.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:41.787

Modified: 2026-05-27T20:34:24.850

Link: CVE-2026-48027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses