What happened
CVE-2026-48027 covers a supply-chain compromise of the Nx Console VS Code extension, the user interface for the Nx and Lerna monorepo build systems. On 19 May 2026, a malicious version, 18.95.0, was published to the marketplace at 12:30 PM UTC. The extension was pulled at 12:48 PM UTC, leaving an 18-minute window of exposure. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 27 May 2026, with a remediation due date of 10 June 2026 and a note that known ransomware campaigns have used this vulnerability.
How it works
NVD rates the vulnerability CVSS v3.1 9.8 (Critical). The CWE classification is CWE-506 (Embedded Malicious Code). The compromised extension fetched an obfuscated second-stage payload at install time, then performed broad credential theft: it walked common secret and key material locations on disk, harvested Git credentials, npm and cloud-provider tokens, and pulled sensitive strings from in-memory processes, including the VS Code extension host. The Nx team has published a full postmortem with indicators of compromise, including the IP addresses and domains used by the second-stage payload and a script for environments to scan their workstations and CI runners for the IOC patterns.
The interesting part of the postmortem is not the technique. Credential theft from a developer workstation is a known supply-chain primitive. The interesting part is the attack surface: the extension was published using the maintainer's own marketplace publisher credentials. The threat actor compromised the publishing pipeline, not the source code on the public repo. Detection of the malicious behavior on the developer's machine and CI infrastructure was the actual defense, because prevention at the marketplace was already lost. Nx has since rotated publisher credentials, added additional review on extension releases, and documented the postmortem publicly so other extension maintainers can adopt the same hardening.
Blast radius
The blast radius is any developer workstation or CI runner that auto-updated the extension between 12:30 and 12:48 UTC on 19 May 2026. The credential theft specifically targeted the secrets that matter most to a modern engineering organization: source-control credentials (which can lead to a full repo compromise and supply-chain pivot), npm publish tokens (which can let an attacker ship malicious code under the maintainer's own name), and cloud provider keys (AWS, GCP, Azure credentials typically live in `~/.aws/credentials` or env files). The in-memory credential theft, pulling strings from the VS Code extension host process, is the part that goes beyond what file-based detection tools see: anything loaded in VS Code's environment at extension-update time is exposed.
Defender actions
Defender actions for CVE-2026-48027 are time-bounded. The 18-minute window closed on 19 May 2026, but any developer who installed or auto-updated the extension between 12:30 and 12:48 UTC on that day needs to assume the workstation is compromised and rotate everything. Nx has published a detection script. The postmortem links to the script, the IOC list, and a recommended response procedure. Treat the rotation as broad: source-control credentials, npm tokens, cloud provider keys, signing keys, anything reachable from a developer session on the affected host. The postmortem is worth reading in full even if you were not affected; the operational lessons apply to any organization that ships developer tooling through a marketplace.
Lessons
The supply-chain lessons are not new but they are worth restating. Marketplace publishing is a privileged operation and the credentials that protect it should be treated with the same rigor as production deployment keys: hardware-backed multi-factor authentication, just-in-time access for releases, and review gates that are not bypassable by a single compromised account. The detection gap is the real one. Most environments have no baseline for what a developer workstation should be reading, which means the post-exploitation activity of an extension like this is invisible until the credentials turn up in an incident. The Nx postmortem is a useful forcing function for that conversation: it documents what an attacker actually does on a compromised workstation, which is the ground truth your detection rules need to match against.
The CVSS 9.8 rating and the CISA KEV listing put this in the same tier as the more public supply-chain compromises of the last several years. The defense-in-depth pattern that holds up: short-lived credentials issued at the moment of use, hardware-backed authentication for any operation that touches a release pipeline, and detection rules that fire on broad credential reads from a single process. None of those are easy to retrofit, which is the underlying problem with marketplace-mediated supply chains: the security model assumes the publisher is trusted, and that assumption has now been broken for the Nth time in a public, attributable way.