Security Advisory · Published 2026-05-28 · ACTIVELY EXPLOITED

CVE-2026-48027: Your VS Code Just Installed Malware From the Official Marketplace

This one's different. This isn't a "patch before someone writes an exploit" situation. This is a "check if you're already owned" situation. On May 19, 2026, a compromised version of Nx Console - one of the most popular VS Code extensions for Nx and Lerna monorepo development - was pushed to the Visual Studio Marketplace. It sat there for 18 minutes. On OpenVSX, 36 minutes. If your editor auto-updated extensions during that window, you installed version 18.95.0, and that version contains malicious code.

CISA has added this to the Known Exploited Vulnerabilities catalog. This isn't a drill.

The timeline that should scare you

  • 12:30 UTC, May 19 - Malicious version 18.95.0 published to VS Code Marketplace
  • 12:33 UTC - Same version published to OpenVSX
  • 12:48 UTC - Removed from VS Code Marketplace (~18 min exposure)
  • 13:09 UTC - Removed from OpenVSX (~36 min exposure)
  • May 27 - CVE assigned, CISA KEV listing

Eighteen minutes doesn't sound like a lot. But VS Code checks for extension updates frequently, and many developers have auto-update enabled. If your machine was on and VS Code was running between 12:30 and 12:48 UTC on May 19th, you need to check.

What the malicious version did

The full post-mortem from the Nx team is still being published, but the CWE is CWE-506: Embedded Malicious Code. Based on the advisory and the indicators of compromise, the malicious version:

  • Executed code at extension activation (when VS Code starts)
  • Had network access to exfiltrate data
  • Ran with whatever permissions your VS Code process has - which on most dev machines is everything

Think about what VS Code can access on a developer's machine: SSH keys, git credentials, environment variables with API keys, cloud provider tokens, .env files with database passwords. All of it reachable from a malicious extension.

Step 1: Check if you installed 18.95.0

# Check your VS Code extension version history
# Open VS Code - Extensions - Search "Nx Console" - Click the gear - "Install Another Version"
# Look for 18.95.0 in the version history

# Or check from command line:
code --list-extensions --show-versions | grep -i "nrwl.angular-console"

# Check extension logs (macOS/Linux)
find ~/.vscode/extensions/ -name "nrwl.angular-console-*" -type d

# Windows:
dir "%USERPROFILE%\.vscode\extensions\nrwl.angular-console-*"

If you see version 18.95.0 anywhere - in your current installation, in cached downloads, in extension history - assume compromise and proceed to Step 3.

Step 2: Check the indicators of compromise

The Nx team published IOCs at their post-mortem page. Check your system against those indicators:

# Check for unexpected outbound connections from VS Code
# Linux/macOS:
lsof -i -P | grep -i "code" | grep -v "127.0.0.1"

# Check if any new SSH keys were added
ls -la ~/.ssh/
git log --oneline -5 ~/.ssh/ 2>/dev/null

# Check for modifications to git config
git config --global --list | grep -i "credential\|url\|helper"

# Windows: Check recent network connections
netstat -an | findstr "ESTABLISHED" | findstr /V "127.0.0.1"

Step 3: If you're compromised

Don't panic. But also don't wait. Here's the order of operations:

  1. Rotate all secrets immediately. Every API key, every token, every password that was stored in environment variables, .env files, or accessible to your VS Code session. All of them. Start with cloud provider credentials (AWS, GCP, Azure).
  2. Rotate SSH keys. Generate new ones, replace them everywhere.
  3. Check git history. Look for commits you didn't make. Check if force pushes happened to any of your repos.
  4. Audit OAuth tokens. Revoke and regenerate GitHub/GitLab personal access tokens, npm tokens, PyPI tokens.
  5. Update to Nx Console 18.100.0 - this version is confirmed safe.

The bigger picture

This is the third major VS Code extension supply chain attack this year. The pattern is clear: compromise a maintainer's publishing credentials (or the CI pipeline that publishes), push a malicious version, and let auto-update do the rest. The extension marketplaces have no real code review process for updates. A malicious version looks identical to a legitimate one until someone reverse-engineers it.

If you're managing a development team, this is the conversation you need to have:

  • Disable auto-update for VS Code extensions on production-adjacent machines
  • Pin extension versions in your team's .vscode/extensions.json
  • Separate your development credentials from your production credentials
  • Run VS Code in a sandboxed environment if you work with sensitive code

Need help assessing the damage?

If you or your team were running VS Code with Nx Console on May 19th and you're not sure whether you caught the malicious version, Ping7 can help with exposure review, credential rotation planning, and IOC checks across your development infrastructure.

  • Free quick check: Share your extension version list for exposure confirmation
  • Credential rotation assist: $99 - systematic rotation of all dev secrets
  • Full supply chain audit: $299 - extension lockdown + CI hardening + monitoring setup

Request CVE repair

References