Nx Console Embedded Malicious Code Execution (CVE-2026-48027)
CVE-2026-48027 describes an embedded malicious code vulnerability (CWE-506) in Nx Console, a popular VS Code and JetBrains IDE extension for managing Nx monorepos. A compromised or trojanized version of Nx Console contains backdoored code that executes at extension load time within the developer IDE process, enabling attacker-controlled behavior including credential harvesting, reverse shells, or supply chain lateral movement into CI/CD pipelines. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild. Detection focuses on anomalous process spawning from IDE extension host processes, unexpected network connections originating from VS Code or JetBrains runtimes, and suspicious file writes consistent with embedded malicious payloads.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Nx
- Product
- Nx Console
Weakness (CWE)
Timeline
- Disclosed
- May 27, 2026
CVSS
What is CVE-2026-48027 Nx Console Embedded Malicious Code Execution (CVE-2026-48027)?
Nx Console Embedded Malicious Code Execution (CVE-2026-48027) (CVE-2026-48027) maps to the Initial Access and Execution and Persistence and Command and Control tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Nx Console Embedded Malicious Code Execution (CVE-2026-48027), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Windows Security Event Log. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspectParents = dynamic(["code", "code-insiders", "code - insiders", "webstorm", "idea", "rider", "node"]);
let LateralBinaries = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh", "python", "python3", "curl", "wget", "certutil", "mshta", "wscript", "cscript", "nc", "ncat", "socat"]);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has_any ("nx-console", "@nrwl/nx-console", "nxls", "nx-language-server")
or (InitiatingProcessFileName has_any (SuspectParents) and FileName has_any (LateralBinaries))
| extend ExtensionHostSuspicion = iff(
InitiatingProcessFileName has_any (SuspectParents) and FileName has_any (LateralBinaries), true, false)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, ExtensionHostSuspicion
| order by TimeGenerated descDetects suspicious child process spawning from VS Code or JetBrains IDE extension host processes consistent with embedded malicious code in Nx Console (CVE-2026-48027). Flags shell, scripting engine, or network utility execution initiated by IDE runtimes.
Data Sources
Required Tables
False Positives
- Legitimate Nx CLI invocations that spawn shell processes during workspace scaffolding or build tasks
- Developer-initiated terminal sessions opened from within VS Code that naturally spawn bash or cmd
- Automated CI test runners executing within a developer's local IDE context
- Node.js-based test frameworks (Jest, Vitest) spawned by the extension during test runs
Sigma rule & cross-platform mapping
The detection logic for Nx Console Embedded Malicious Code Execution (CVE-2026-48027) (CVE-2026-48027) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48027
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Nx Console Extension Host Spawning Reverse Shell (Windows)
Expected signal: DeviceProcessEvents: powershell.exe spawned with parent chain including node.exe or code.exe; DeviceNetworkEvents: TCP connect attempt to 127.0.0.1:9999
- Test 2Simulate Nx Console Extension Credential File Exfiltration (Linux/macOS)
Expected signal: Process creation event: bash spawned with cat and curl in command line; Network event: HTTP POST to 127.0.0.1:8181 from bash process; File access events on .npmrc and .gitconfig
- Test 3Drop and Execute Malicious Script from Temp Directory (macOS)
Expected signal: Process events: node.exe spawning sh executing a script from /tmp; File creation events for /tmp/nx_test_payload.sh and /tmp/nx_beacon.txt with initiating process node
- Test 4Nx Console VSIX Backdoor Package Installation Simulation
Expected signal: File system events showing creation of extension directory and package.json under .vscode/extensions; if extension activated, bash process spawned from VS Code extension host
Unlock Pro Content
Get the full detection package for CVE-2026-48027 including response playbook, investigation guide, and atomic red team tests.