Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-48027 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-48027 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-48027 is a supply chain compromise affecting Nx Console, a developer productivity extension published by Nx, in which a malicious version of the extension was published containing embedded malicious code capable of credential harvesting.

Technical Detail

A threat actor was able to publish a trojanized version of the Nx Console extension, embedding code that fetched an obfuscated remote payload upon installation or execution. The payload was designed to harvest credentials from multiple sources, including files stored on disk and data held in memory, which could include authentication tokens, API keys, and stored passwords accessible within the developer environment. The attack surface is broad given that developer tools typically run with user-level or elevated privileges and have access to sensitive project files, environment variables, and credential stores.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this CVE added to the Known Exploited Vulnerabilities catalog on May 27, 2026. The exploit maturity is rated Operational, meaning a functional exploit capable of reliable credential exfiltration was deployed in a real-world attack context, not merely demonstrated as a proof of concept. The obfuscated payload delivery mechanism indicates deliberate operational preparation by the responsible party.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established in the available data. Given the nature of the attack, targeting developer tooling to harvest credentials, the tradecraft is consistent with software supply chain intrusion campaigns, but no actor has been formally attributed to this incident.

What To Do

Per CISA's Known Exploited Vulnerabilities directive, organizations must apply mitigations or patches by the deadline associated with the May 27, 2026 KEV listing. Immediately audit installed versions of Nx Console across all developer workstations and CI/CD environments, and remove any version confirmed to be compromised. Rotate all credentials, tokens, and secrets that may have been accessible on affected systems, including environment variables, SSH keys, cloud provider credentials, and package registry tokens. Review extension installation logs and network telemetry for outbound connections to unfamiliar or suspicious hosts that may indicate payload retrieval. Until a verified clean version is confirmed by Nx, consider disabling or blocking the extension in managed environments. Monitor for indicators of credential misuse across identity providers and cloud platforms used by affected developers.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →