ProductUS

Nx Console

Open-source VS Code extension for Nx monorepo build toolchains; a trojanised release in May 2026 was the initial-access vector in the GitHub internal repository breach.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How did a malicious Nx Console build live for just 18 minutes steal thousands of repos?

Timeline for Nx Console

#518 May

GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2026-48027 in Nx Console?: CVE-2026-48027 is the identifier for the trojanised Nx Console VS Code extension (v18.95.0) that executed a malicious payload on startup and cloned GitHub internal repositories. It was added to CISA's Known Exploited Vulnerabilities list on 27 May 2026.Source: CISA KEV, May 2026
Is Nx Console safe to use after the 2026 attack?: The malicious version (v18.95.0) was removed from the Marketplace within 18 minutes. Developers who did not install that specific version and who keep auto-updates enabled to a verified subsequent release are not affected. Verify your installed version is not v18.95.0.Source: event
How did the Nx Console supply-chain attack work?: UNC6780 published a trojanised build of Nx Console to the VS Marketplace. When a GitHub employee installed it, startup code executed a payload that cloned roughly 3,800 of GitHub's internal private repositories to an attacker server.Source: event

Background

Nx Console is a Visual Studio Code extension developed by Nrwl (now Nx) that provides a graphical interface for the Nx monorepo build system. It automates task running, dependency graphing, and code generation for large-scale JavaScript and TypeScript projects. The extension is widely installed across enterprise development teams managing complex monorepo structures.

On 18 May 2026, attackers attributed to UNC6780 published a trojanised build of Nx Console (version v18.95.0) to the Visual Studio Marketplace. The malicious version was live for only 18 minutes before being taken down, but in that window a GitHub employee installed it. On startup the extension executed a payload that cloned approximately 3,800 of GitHub's internal private repositories to an attacker-controlled server. The flaw was catalogued as CVE-2026-48027 and added to the CISA Known Exploited Vulnerabilities list on 27 May 2026.

The incident is a textbook software supply-chain attack, demonstrating that a brief Marketplace listing window — even 18 minutes — is sufficient to compromise a high-value target if a privileged user is the victim. It has renewed calls for mandatory code-signing, provenance attestation, and automated sandboxing for IDE extensions across all major Marketplace operators.

Source Material

Nx build system — Wikipedia Nx Console — official documentation

How the World Sees Them

Enterprise developers

Teams using Nx for monorepo management should audit extension version history and enable Marketplace provenance verification; the attack shows even brief malicious listings can compromise privileged installs.

Microsoft (VS Marketplace)

The incident intensifies pressure on Microsoft to enforce mandatory signing and sandboxed execution for all Marketplace extensions, a gap that has allowed supply-chain attacks on multiple occasions.