Nx Console v18.95.0 VS Code extension supply-chain compromise — credential-stealing payload harvested 1Password, Claude Code config, npm, GitHub PAT, AWS creds; published via stolen TanStack-leaked GitHub CLI OAuth token
cve · CVE-2026-48027
Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Briefs
1
1 distinct
Sources cited
31
19 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-28CTI Daily Brief — 2026-05-28
Where this entity is cited
- deep_dive1
Source distribution
- attack.mitre.org9 (29%)
- cert.ssi.gouv.fr2 (6%)
- cisa.gov2 (6%)
- github.com2 (6%)
- socket.dev2 (6%)
- blog.daemon-tools.cc1 (3%)
- cybersecuritynews.com1 (3%)
- helpnetsecurity.com1 (3%)
- other11 (35%)
External references
All cited sources (31)
- github.comprimaryinlineGHSA-g7cv-rxg3-hmpxhttps://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
- github.comprimaryinlineGHSA-c9j4-9m59-847whttps://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
- attack.mitre.orginlineT1021.007 (Remote Services: Cloud Services)https://attack.mitre.org/techniques/T1021/007/
- attack.mitre.orginlineT1059 Command and Scripting Interpreterhttps://attack.mitre.org/techniques/T1059/
- attack.mitre.orginlineT1072 Remote Device Managementhttps://attack.mitre.org/techniques/T1072/
- attack.mitre.orginlineT1078 Valid Accountshttps://attack.mitre.org/techniques/T1078/
- attack.mitre.orginlineCloud Account Discoveryhttps://attack.mitre.org/techniques/T1087/004/
- attack.mitre.orginlineT1190 Exploit Public-Facing Applicationhttps://attack.mitre.org/techniques/T1190/
- attack.mitre.orginlineCloud Service Discoveryhttps://attack.mitre.org/techniques/T1526/
- attack.mitre.orginlineT1552.001 (Unsecured Credentials: Credentials In Files)https://attack.mitre.org/techniques/T1552/001/
- attack.mitre.orginlineT1584.007 Compromise Infrastructure: Certificate Authoritieshttps://attack.mitre.org/techniques/T1584/007/
- blog.daemon-tools.ccinlineDisc Soft Limited security incident noticehttps://blog.daemon-tools.cc/post/security-incident
- cert.ssi.gouv.frinlineCERT-FR / cert.ssi.gouv.fr, 2026-05-04/05https://www.cert.ssi.gouv.fr/
- cert.ssi.gouv.frinlineCERT-FR CERTFR-2026-AVI-0576, 2026-05-13https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0576/
- cisa.govinlineCISA KEV, 2026-05-27https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- cisa.govinlineCISA KEV, 2026-05-21https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog
- cybersecuritynews.cominlineCybersecurityNews, 2026-05-19https://cybersecuritynews.com/nx-console-vs-code-extension-compromised/
- helpnetsecurity.cominlineHelp Net Security, 2026-05-21https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/
- hkcert.orginlineHKCERT Advisory 20260522https://www.hkcert.org/security-bulletin/trend-micro-apex-one-multiple-vulnerabilities_20260522
- ivanti.cominlineIvanti, 2026-05-12https://www.ivanti.com/blog/may-2026-security-update
- jpcert.or.jpinlineJPCERT/CC at260014, 2026-05-22https://www.jpcert.or.jp/english/at/2026/at260014.html
- kaspersky.cominlineKaspersky DAEMON Tools analysishttps://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/
- microsoft.cominline"The threat actor pivoted to the organization's Azure Key Vault estate — an environment more likely to centralize sensitive secrets and offer indirect access to production systems."https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/
- nx.devinlineNx postmortem, 2026-05-19https://nx.dev/blog/nx-console-v18-95-0-postmortem
- ox.securityinlineOx Securityhttps://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
- securityweek.cominline2026-05-13https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/
- socket.devinlineSocket, 2026-05-23https://socket.dev/blog/laravel-lang-compromise
- socket.devinlineSocket, 2026-05-22https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos
- stepsecurity.ioinlineStepSecurity, 2026-05-18https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials
- success.trendmicro.cominlineKA-0023430https://success.trendmicro.com/en-US/solution/KA-0023430
- thehackernews.cominlineThe Hacker News, 2026-05-19https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
Items in briefs about Nx Console v18.95.0 VS Code extension supply-chain compromise — credential-stealing payload harvested 1Password, Claude Code config, npm, GitHub PAT, AWS creds; published via stolen TanStack-leaked GitHub CLI OAuth token
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.