
Nx Console
Open-source VS Code extension for Nx monorepo build toolchains; a trojanised release in May 2026 was the initial-access vector in the GitHub internal repository breach.
Last refreshed: 29 May 2026 · Appears in 1 active topic
How did a malicious Nx Console build live for just 18 minutes steal thousands of repos?
Timeline for Nx Console
GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesWhat is CVE-2026-48027 in Nx Console?
Is Nx Console safe to use after the 2026 attack?
How did the Nx Console supply-chain attack work?
Background
Nx Console is a Visual Studio Code extension developed by Nrwl (now Nx) that provides a graphical interface for the Nx monorepo build system. It automates task running, dependency graphing, and code generation for large-scale JavaScript and TypeScript projects. The extension is widely installed across enterprise development teams managing complex monorepo structures.
On 18 May 2026, attackers attributed to UNC6780 published a trojanised build of Nx Console (version v18.95.0) to the Visual Studio Marketplace. The malicious version was live for only 18 minutes before being taken down, but in that window a GitHub employee installed it. On startup the extension executed a payload that cloned approximately 3,800 of GitHub's internal private repositories to an attacker-controlled server. The flaw was catalogued as CVE-2026-48027 and added to the CISA Known Exploited Vulnerabilities list on 27 May 2026.
The incident is a textbook software supply-chain attack, demonstrating that a brief Marketplace listing window — even 18 minutes — is sufficient to compromise a high-value target if a privileged user is the victim. It has renewed calls for mandatory code-signing, provenance attestation, and automated sandboxing for IDE extensions across all major Marketplace operators.