External risk intelligence

Nx Console Compromise Allows Unauthorized Access to Sensitive Data.

CVE advisoryKnown Exploit

CVE-2026-48027

A malicious version of Nx Console was briefly available, containing code that could harvest credentials. Organizations using the affected version could experience unauthorized access to sensitive information. Upgrading to a non-compromised version mitigates this risk.

1Halo Surface Signal

Nx Console

18.95.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-48027

This CVE concerns a malicious version of a developer-focused extension for a code editor (Nx Console for Visual Studio Code). Development tools and IDE extensions run in local, isolated environments on individual developer workstations and do not present a public-internet-facing service or reachable network endpoint in typical deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A malicious version of the Nx Console extension was temporarily available through the Visual Studio Marketplace and OpenVSX. This compromised version contained malicious code that could harvest credentials. Organizations using this extension were potentially exposed to unauthorized access to sensitive information.

  • Nx Console extension
  • Embedded malicious code
  • Credential theft and data compromise

Attack Path

How an attacker could exploit the issue

A malicious version of the Nx Console extension was temporarily available through Visual Studio Marketplace and OpenVSX. This compromised extension contained malicious code designed to harvest credentials from various sources on disk and in memory. Organizations using the affected version could experience unauthorized access to sensitive information.

  • Exposure condition: Malicious extension available.
  • Attacker starting point: Network.
  • Trigger and result: Malicious code executed, harvesting credentials.

Live Threat

Current exploitation, exposure, and threat context

A malicious version of the Nx Console extension was briefly available, containing code that could harvest credentials. Organizations should upgrade to the non-compromised version of Nx Console to mitigate this risk. The extension is a developer tool, typically running in isolated environments, reducing broad impact.

  • Attacker skill level: Low.
  • Required access or conditions: Malicious version downloaded.
  • Business risk or urgency: High; upgrade immediately.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A malicious version of the Nx Console extension was briefly available, posing a risk to development environments. This compromised version contained malicious code designed to harvest credentials from various sources. Organizations should take immediate steps to identify and mitigate this threat within their development infrastructure to protect sensitive data and systems.

  • Identify affected development assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is Nx Console and why was it compromised?

Nx Console is a user interface for Nx and Lerna build tools, often integrated into IDEs like Visual Studio Code. A malicious version, 18.95.0, was temporarily published to the Visual Studio Marketplace and OpenVSX, containing embedded malicious code designed to harvest credentials.

What weakness class does CVE-2026-48027 fall under?

CVE-2026-48027 is categorized under the weakness class 'Embedded Malicious Code' (CWE-506). This indicates that the vulnerability was introduced through the inclusion of harmful code within the software itself.

What was the scope of the Nx Console compromise?

The malicious version of Nx Console (18.95.0) was available for approximately 18 minutes on the Visual Studio Marketplace and about 36 minutes on OpenVSX. This compromised code could harvest credentials from disk and memory.

How does Halo classify the exposure of CVE-2026-48027?

Halo classifies this CVE as 'external' because the CVSS v4.0 attack vector is listed as Network (AV:N). However, Halo also notes that the extension runs in local, isolated environments, which typically do not present a public-facing service.

What is the recommended remediation for the Nx Console vulnerability?

Users should upgrade Nx Console to version 18.100.0, which is not compromised. Organizations should also identify affected development assets, reduce exposure, and verify that the threat is mitigated within their infrastructure to protect sensitive data.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished