OrganisationUS

nrwl/Nx

Open-source monorepo build-tooling project (Nx) maintained by Nrwl; the official repository was used to stage the hidden payload in the GitHub breach.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How was a trusted open-source repository used to deliver malware through VS Code?

Timeline for nrwl/Nx

#518 May

GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is Nx and who makes it?: Nx is an open-source monorepo build system for TypeScript and JavaScript projects, maintained by Nrwl, a company founded by former Google Angular team members Jeff Cross and Victor Savkin.Source: Nrwl / Nx official
How was the nrwl/nx repository used in the May 2026 GitHub breach?: Attackers planted a malicious commit on the official nrwl/Nx GitHub repository. The trojanised Nx Console extension v18.95.0 pulled from this commit on startup to execute credential-stealing code on the developer's machine.Source: GitHub incident disclosure
What is Nx Cloud?: Nx Cloud is Nrwl's commercial service offering distributed build caching and CI pipeline optimisation for teams using the Nx monorepo build system.Source: Nrwl official

Background

Nrwl and its Nx repository were exploited in the May 2026 supply-chain attack when attackers planted a malicious commit on the official nrwl/Nx GitHub repository. The trojanised Nx Console extension (v18.95.0) pulled from this compromised commit on startup, using the legitimate repository as a staging point for credential-theft code. The attack combined a publisher-verification gap in the Visual Studio Marketplace with abuse of a trusted open-source repository's CI/CD pipeline.

Nrwl (short for Narwhal) is a US software consultancy and open-source tooling company founded by Jeff Cross and Victor Savkin, both former Angular team members at Google. The company develops Nx, an open-source monorepo build system and development workspace tool, widely adopted by enterprise JavaScript and TypeScript teams. Nx supports code generation, task caching, and dependency graph visualisation for large mono-repository codebases. The Nx Console extension — a VS Code UI for the Nx CLI — was the attack vector's delivery mechanism. Nrwl also offers commercial Nx Cloud services for distributed build caching and CI optimisation.

The nrwl/Nx compromise illustrates that attacker interest in trusted open-source repositories extends beyond npm packages to the editor-tooling ecosystem. Organisations using Nx are typically large engineering teams with broad internal-repository access, making a compromised Nx Console extension a high-value lateral-movement vehicle. The incident prompted broader scrutiny of open-source monorepo tooling's security posture and commit-signing practices.

Source Material

nrwl/nx – GitHub repository Nx – official website

How the World Sees Them

United States

The nrwl/nx compromise fed directly into a GitHub breach affecting US infrastructure; CISA's KEV listing of CVE-2026-48027 raised questions about open-source repository-signing requirements.

European Union

EU Cyber Resilience Act discussions cited the nrwl/nx attack as evidence that open-source repository maintainers need clearer security-process obligations under the new framework.

United Kingdom

NCSC guidance on software supply-chain security was updated in response; the attack reinforced calls for commit signing and reproducible builds across public open-source repositories.