SB20260528253 - Backdoor in Nx Console VSCode extension

Description

This security bulletin contains information about 1 vulnerability.

1) Embedded malicious code (CVE-ID: CVE-2026-48027)

CWE-ID: CWE-506 - Embedded Malicious Code

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to gain unauthorized access to the system.

The vulnerability exists due to presence of malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application. The affected version was compromised on May 19, 2026 and was distributed through the Visual Studio Marketplace for around 18 minutes and around 36 minutes through OpenVSX. 

Remediation

Install update from vendor's website.

References

• https://github.com/nrwl/nx-console/issues/3139
• https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
• https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise
• https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised