Nx Console Malware CVE-2026-48027 Steals Creds, Hits GitHub

A supply chain attack targeting Nx Console, a widely used VS Code extension, exposed thousands of developers to credential theft and ransomware deployment, with GitHub suffering one of its worst internal breaches as a direct result.

On May 19, 2026, threat actors successfully poisoned version 18.95.0 of Nx Console, the official user interface for Nx and Lerna monorepo tooling, and uploaded it to both the Visual Studio Marketplace and OpenVSX.

The malicious build was live for approximately 18 minutes on the VS Code Marketplace (12:30–12:48 UTC) and 36 minutes on OpenVSX (12:33–13:09 UTC) before being pulled, but that brief window was enough.

By the time CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 27, 2026, internal analytics from the Nx team revealed approximately 6,000 extension activations from compromised devices.

The attack, attributed to the TeamPCP threat group, began when adversaries compromised an Nx developer’s credentials and posed as a legitimate maintainer to gain publisher access on the VS Code Marketplace.

The malicious 18.95.0 build preserved all normal Nx Console functionality, keeping the real ~7.7 MB main.js surface intact while silently injecting a startup routine that ran npx against a fixed Git commit on the official nrwl/nx GitHub repository. This planted a hidden package called nx-next, whose sole purpose was credential exfiltration.

Once activated, the malicious extension fetched an obfuscated payload and harvested credentials from a wide range of sources, both on disk and in memory. It targeted:

• HashiCorp Vault – ~/.vault-token, /etc/vault/token, Kubernetes and AWS IAM auth tokens
• npm – .npmrc tokens and OIDC token exchange
• AWS – IMDS/ECS metadata, Secrets Manager, SSM, and Web Identity tokens
• GitHub – ghp_, gho_, and ghs_ tokens, Actions secrets, and process memory
• 1Password – op CLI vault contents if an active session existed
• Filesystem – Private keys, connection strings, GCP and Docker credentials

Exfiltration used three independent channels simultaneously encrypted HTTPS to a remote server, the GitHub API using victims’ own stolen tokens, and DNS tunneling as a fallback, making single-channel blocking ineffective. On Linux systems, the malware also attempted to inject into sudoers to establish persistence.

GitHub itself confirmed the most devastating consequence of this attack. The company disclosed that the Nx Console supply chain compromise led directly to unauthorized access to 3,800 internal repositories.

The breach occurred because GitHub developers running the compromised extension had their GitHub tokens exfiltrated silently in the background, with sufficient privileges to access private, internal infrastructure.

The incident stands as one of the most significant supply chain attacks against a major software platform in 2026, demonstrating that even a brief window of exposure in a developer tool can cascade into a catastrophic enterprise breach.

Organizations should immediately scan environments for the following indicators:

• Presence of Nx Console version 18.95.0 in VS Code or any VS Code fork
• Running processes named __DAEMONIZED or cat.py
• Outbound DNS tunneling traffic or unexpected HTTPS connections to unfamiliar endpoints
• Unauthorized access logs using ghp_, gho_, or ghs_ prefixed tokens
• Unexpected changes to /etc/sudoers on Linux systems

Mitigation

CISA’s advisory mandates action by June 10, 2026, for all Federal Civilian Executive Branch (FCEB) agencies. All organizations, public and private, should take the following steps immediately:

1. Update Nx Console to version 18.100.0 or later (current safe version: 18.100.5)
2. Kill all __DAEMONIZED and cat.py processes immediately, and they actively exfiltrate credentials while running
3. Rotate all credentials stored on any developer machine that had version 18.95.0 installed, including GitHub tokens, AWS keys, npm tokens, Vault tokens, and GCP/Docker credentials.
4. Revoke and reissue all API keys, secrets, and cloud IAM credentials that may have been in memory or on disk during the exposure window.
5. Audit access logs across GitHub, AWS, GCP, Azure, and any Kubernetes clusters for anomalous activity since May 19, 2026
6. Enable MFA on all developer accounts and secrets management platforms immediately.
7. Review VS Code extension permissions and implement enterprise allowlisting policies to allow only approved extensions.

FAQ

Q1: What is CVE-2026-48027?
CVE-2026-48027 is a critical embedded malicious code vulnerability (CWE-506) in Nx Console version 18.95.0 that enabled silent credential harvesting and ransomware deployment via a supply chain attack.

Q2: Who is affected by the Nx Console supply chain attack?
Any developer who installed or ran Nx Console version 18.95.0 during the May 19, 2026, exposure window (12:30–13:09 UTC) across the VS Code Marketplace or OpenVSX is potentially compromised.

Q3: How do I fix the Nx Console vulnerability?
Immediately update to Nx Console version 18.100.0 or later, kill any running __DAEMONIZED or cat.py processes, and rotate all credentials stored on the affected machine.

Q4: Is the Nx Console vulnerability linked to ransomware?
Yes, CISA has confirmed that CVE-2026-48027 is used in active ransomware campaigns, making it one of the most urgently exploited vulnerabilities tracked in the KEV catalog as of May 2026.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts