CVE-2026-48027 — Eighteen minutes of Nx Console in the VS Code Marketplace and 3,800 GitHub internal repos later, supply chain has shifted up one layer

TL;DR — the 90-second summary

What was disclosed?

CVE-2026-48027 (added to the CISA KEV catalogue on 27 May 2026), a compromised version 18.95.0 of the Nx Console extension for VS Code and VS Code-compatible IDEs (Cursor, VSCodium, Windsurf via OpenVSX). The malicious version was live on 18 May 2026 between 12:30 UTC and 12:48 UTC — exactly eighteen minutes — in the Visual Studio Marketplace, and from 12:33 to 13:09 UTC (36 minutes) on Open VSX in parallel; Nx itself classified the case as critical and assigned the CVE.

How severe?

Critical on the credential class: the payload (Google TI calls it SANDCLOCK) harvests GitHub personal-access tokens, OAuth and app tokens, npm authentication tokens, AWS credentials via instance metadata and environment variables, HashiCorp Vault tokens, Kubernetes service-account secrets, 1Password CLI sessions, SSH private keys, Google Cloud and Docker credentials — and, explicitly, Claude Code configuration files — in a single sweep from the file system and the in-memory cache of the developer machine. GitHub CISO Alexis Wales has publicly confirmed the consequence: around 3,800 GitHub internal repositories exfiltrated, OpenAI, Grafana Labs and Mistral AI named as downstream victims. According to Narwhal’s estimate (Jeff Cross, co-founder), more than 6,000 developers pulled the malicious version during the 18 marketplace and 36 OpenVSX minutes.

Which Nx Console versions are affected?

Strictly version 18.95.0 only — it is the only malicious build published to the marketplaces. Preceding and following versions do not carry the malicious payload. Required fix: Nx Console 18.100.0 or higher, plus a complete persistence cleanup and credential rotation on every machine that pulled 18.95.0 during the marketplace window.

What was the entry path?

The TanStack npm wave of 11 May 2026 (CVE-2026-45321, attributed to TeamPCP / the “Mini Shai-Hulud” campaign), where pull-request-target “Pwn Request” patterns, GitHub Actions cache poisoning and OIDC token extraction were used to publish 84 malicious versions across 42 @tanstack/* packages. A Narwhal developer identity rolled out of the TanStack token pool — the attacker used it to sign Nx Console 18.95.0 and publish it in both marketplaces (Visual Studio Marketplace and Open VSX).

Am I affected as a Moselwal client?

Moselwal itself does not run an Nx stack — TYPO3, Sylius and our platform components need neither the build system nor the console extension. So you are directly affected only if a development team on your platform works with an Nx monorepo in parallel to us (typical in larger JavaScript/TypeScript front-end teams or in Sylius storefronts with React/Vue front-ends) and runs Nx Console in VS Code, Cursor or Windsurf there. Indirectly the class hits us through the Claude Code configuration files — anyone running Claude Code in their own workbench workflow who also pulled an Nx Console auto-update in the 18-minute window has potentially exposed their Claude Code config. The operational question is therefore three-fold: which developer machines had Nx Console active, which were online in the window, which credentials have not yet been rotated since 18 May.

Immediate mitigation?

Raise Nx Console to 18.100.0 or higher, check marketplace plugin state, then run a full credential rotation on every machine that was online in the 18 May window: every GitHub personal-access token, every npm auth token, every AWS access key, every GCP service-account key, every Vault token, every SSH private key (regenerate the ~/.ssh/ tree from scratch), 1Password CLI session log-out and re-auth, Docker login with new credentials, plus rotate Anthropic API keys and Claude Code configurations. Plus an audit sweep of CI/CD logs for unusual push/pull/release activity since 18 May.

 

What happened

The disclosure chain is documented. On 18 May 2026 an attacker published a malicious version 18.95.0 of the Nx Console extension under the verified publisher handle nrwl — from 12:30 UTC to 12:48 UTC in the Visual Studio Marketplace (18 minutes) and from 12:33 UTC to 13:09 UTC in parallel on Open VSX (36 minutes). Against a total install base of around 2.2 million for the extension, more than 6,000 developer machines pulled the malicious version in the window according to Narwhal’s estimate (Jeff Cross, co-founder of Narwhal Technologies); Microsoft and Nx subsequently pulled the version, and Nx Console 18.100.0 shipped as a clean fix build.

The methodologically interesting point is the separation of carrier and payload. The extension bundle itself carried no malicious code; on workspace activation it ran a single shell call that fetched a hidden nx-next package from an orphaned commit on the official nrwl/nx repository — disguised as a routine Nx MCP setup task. Google’s Threat Intelligence team named the post-loaded stealer “SANDCLOCK”; it reads standardised file paths (~/.aws/, ~/.gcp/, ~/.kube/, ~/.ssh/, ~/.npmrc, ~/.docker/, ~/.config/op/), in-memory caches of common CLI tools (1Password CLI, Vault VAULT_TOKEN env), GitHub personal-access tokens, OAuth tokens, npm authentication tokens — and, explicitly, Claude Code configuration files. The latter is the class that makes this incident relevant for every team running Claude Code in the workbench workflow, even if Nx itself is not in the stack.

The entry path is the TanStack npm compromise of 11 May (CVE-2026-45321), in which the attacker group TeamPCP used pull-request-target “Pwn Request” patterns, GitHub Actions cache poisoning and OIDC token extraction to publish 84 malicious versions across 42 @tanstack/* packages — part of the “Mini Shai-Hulud” worm that TeamPCP has been running cross-ecosystem since April/May 2026. A Narwhal developer identity rolled out of the token pool gathered there, which the attacker used for the marketplace publication. GitHub CISO Alexis Wales confirmed the incident publicly on 21 May: roughly 3,800 internal GitHub repositories were exfiltrated via compromised employee machines, OpenAI, Grafana Labs and Mistral AI are named as downstream victims.

Technical analysis

Structurally, CVE-2026-48027 is not a classical code vulnerability but a supply-chain compromise incident in IDE extension distribution. The malicious version was live for only 18 minutes in the Visual Studio Marketplace and 36 minutes on Open VSX, yet marketplace pulls in that window exceeded 6,000 installs — a speed that shows how automatically IDE extensions are pulled in modern dev workflows. Anyone running VS Code or Cursor with extension auto-update enabled took no conscious installation decision between 12:30 and 12:48 UTC on 18 May — the extension simply grew in.

The payload class is a local credential harvester, named SANDCLOCK by Google Threat Intelligence. It reads standardised file paths (~/.aws/credentials, ~/.gcp/credentials, ~/.kube/config, ~/.ssh/, ~/.npmrc, ~/.docker/config.json, ~/.config/op/), reaches into in-memory caches of common CLI tools (1Password CLI session tokens, Vault tokens via VAULT_TOKEN env or ~/.vault-token), GitHub personal-access and OAuth tokens, npm authentication tokens — and, explicitly, Claude Code configuration files. It exfiltrates the harvested credentials to a command-and-control endpoint. That is textbook “workstation credential vacuum” functionality, but the list of harvested sources is wide enough that one affected developer machine surrenders full access to its owner’s cloud identity and AI tooling configuration. If that identity also carries repository pull rights on the internal organisation repositories — the normal case on a modern developer machine — then the jump from “credentials stolen” to “internal repositories exfiltrated” is trivial.

The connection to the TanStack wave is the methodologically interesting picture. TeamPCP has been operating since the first Mini Shai-Hulud waves in April and May 2026 with a cross-ecosystem pattern: a token captured in npm is used to publish to a neighbouring distribution platform — PyPI, RubyGems, the Visual Studio Marketplace, Open VSX. The attacker’s supply-chain topology is no longer “one npm maintainer account, one wave”; it is “one identity collection, many waves”. CVE-2026-48027 is the first IDE-extension wave in this series that has moved into the CISA KEV catalogue, and probably not the last.

What this means for the Mittelstand

We are not writing this post out of being affected ourselves. Moselwal does not run an Nx stack — TYPO3, Sylius and our platform components need neither the build system nor the console extension, and our developer machines have never had Nx Console installed. Among parts of our clientele Nx very much sits in the picture though: in larger JavaScript/TypeScript monorepos (enterprise front-end teams, Sylius storefronts with React/Vue front-ends), in TypeScript platform repos that use Nx as a workspace tool without thinking of themselves as a “monorepo”, and everywhere a front-end team has Nx Console in VS Code or Cursor as a standard integration in the onboarding pack.

The operational lever for ourselves lies one layer further — in the Claude Code configuration files SANDCLOCK explicitly harvests. Anyone on our team or on a client team working with Claude Code who also pulled an Nx Console auto-update during the 18-minute Visual Studio Marketplace or 36-minute Open VSX window (e.g. because the same notebook is used for a second project that does carry Nx) has potentially had their ~/.claude/ and ~/.config/anthropic/ contents exfiltrated. For teams in the Central European time zone, the window was 18 May, 14:30 to 14:48 CEST (Marketplace) and 14:33 to 15:09 CEST (Open VSX) — early Monday afternoon. The reflex question is not “do we have Nx” but “is there any one of our or our client machines that runs Claude Code in parallel to an Nx workspace, and was that machine online in the window?”

Compliance-wise the incident sits on the standard axes, with a new layer added. NIS-2 Art. 21 demands supply-chain discipline, and the TanStack→Nx Console chain is supply chain in exactly the expanded definition NIS-2 explicitly opens — not only direct software dependencies but the tools used to build them. BSI APP.4.3 (server web applications) and APP.6 (general software) carry the finding on the application-layer side; on the workstation side, DER.1 (detection) and CON.3 (data protection) are the relevant building blocks. GDPR Art. 32 affects every platform whose repository contents carry personal data — configuration files, customer test data sets, backup scripts; a 3,800-repository exfiltration like GitHub’s own is a reportable incident as soon as the personal-data content is confirmed. For DORA-regulated entities (financial services) and MaRisk houses, IDE extensions as a supply-chain component now go explicitly into the third-party risk inventory — and that is a layer most existing SBOM pipelines did not previously capture.

What this means for technical development

Methodologically, the TanStack→Nx Console chain traces a pattern we have seen repeatedly in the daily-news wave over the last two weeks. Cross-ecosystem identity chaining is becoming the main class of supply-chain incidents. It is no longer “one maintainer account is taken over, one wave runs”; it is “one token collection is built, several waves across npm, PyPI, RubyGems and IDE marketplaces run out of the same collection”. The lesson for Mittelstand tooling is not “use fewer open-source tools” but: SBOM pipelines have to capture IDE extensions explicitly, and credential-rotation discipline on developer machines is its own category alongside server credential rotation.

Architecturally, the second lesson sits in IDE-extension auto-update configuration. Visual Studio Code pulls extensions automatically by default as soon as a new version appears in the marketplace; that is convenience for the developer, but an Achilles’ heel in a world where an 18-minute marketplace gap gathers more than 6,000 installations. For security-oriented teams, the reflex of disabling extension auto-update and pulling updates only in a curated maintenance window is no longer paranoid configuration but a reasonable default discipline. In the enterprise context there is the additional option of enforcing extension allowlists via group policy or MDM — more effort, but for regulated industries under DORA and NIS-2 the next logical step.

Concrete recommendations

In this order. First, check today whether Nx Console is running on your developer machines — at Moselwal it is not (TYPO3/Sylius stack), among parts of our clientele with JavaScript/TypeScript front-end teams it very much is: code --list-extensions | grep -i nrwl.angular-console (and the corresponding Cursor/Windsurf call) gives the overview. Second, if Nx Console is installed: raise the version to 18.100.0 or higher, remove all persistence artefacts (marketplace cache, extension storage) of 18.95.0, the same for nx-next artefacts under ~/.npm/_npx/. Third, for every machine that was online with marketplace or Open VSX update activity in the 18 May, 12:30–13:09 UTC window: full credential rotation — GitHub PATs, npm tokens, AWS keys, GCP service-account keys, Vault tokens, SSH key tree, 1Password re-auth, Docker login, plus Anthropic API keys and Claude Code configurations, because SANDCLOCK harvests this class explicitly. Fourth, an audit sweep of CI/CD and Git logs for unusual push/release activity since 18 May; specifically force pushes, new tags and unannounced releases. Fifth, for security-relevant developer profiles disable extension auto-update in VS Code (extensions.autoUpdate: false in the settings JSON) and pull extension updates only in a curated weekly maintenance window. Sixth, document IDE extensions in your SBOM process — if you don’t have one, this is the occasion to set one up. If any of these steps don’t run under your own steam, talk to us: Moselwal builds developer workstation stacks and SBOM pipelines that treat IDE extensions as their own supply-chain class.

This post reflects our technical and strategic assessment. It does not replace legal advice or a data-protection impact assessment.

Sources

• CISA — Adds Three Known Exploited Vulnerabilities to Catalog (27 May 2026, incl. CVE-2026-48027)
• GitHub issue nrwl/nx-console#3140 — SECURITY: v18.95.0 executes obfuscated payload from dangling commit on nrwl/nx via npx on workspace activation (18 May 2026)
• The Hacker News — Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer (as of 27 May 2026)
• The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension (as of 27 May 2026)
• Help Net Security — GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise (21 May 2026)
• Bleeping Computer — GitHub links repo breach to TanStack npm supply-chain attack (21 May 2026)
• SecurityAffairs — U.S. CISA adds Daemon Tools, TanStack, and Nx Console flaws to its Known Exploited Vulnerabilities catalog (27 May 2026)
• Corgea Research — GitHub Breached Through Poisoned VS Code Extension: 3,800 Internal Repos Stolen (May 2026)