CVE-2026-48027
KEV EPSS 1.0%KEV-listed + corporate disclosures + chaining claims credible, but EPSS near-zero and no public PoC details weaken confidence slightly.
What: Supply-chain RCE in Nx Console (build tool UI for Nx & Lerna) via malicious version 18.95.0 published to marketplaces for ~18–36 minutes on 19 May 2026. No CVSS assigned; EPSS 0.00952.
Why it matters: KEV-listed as actively exploited (added 2026-05-27). Public chatter links CVE to real-world incidents: SEC 8-K filing by Karman Holdings (June 1), alleged chaining with CVE-2026-45321 in dev tooling attacks, and sanctions evasion allegations. Supply-chain nature means downstream risk is asymmetric.
Where it's seen: CISA KEV catalog announcement, threat intel aggregators, developer security accounts flagging urgent patching. Corporate disclosures (8-K) and dark-web chatter cited. Patch path clear (upgrade to 18.100.0).
RISK: CRITICAL — KEV-listed, active exploitation, SEC disclosure, supply-chain attack vector, developer tooling compromise.
Description
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.