TP-EXP-2026-0309 CVE-2026-48027 critical Active Exploitation AI Draft

Nx Console Embedded Malicious Code Vulnerability (CVE-2026-48027)

CVE CVE-2026-48027 Platform Nx Console Type Supply Chain Compromise

Severity CRITICAL

Status Active Exploitation

Zero-Day Confirmed

Disclosed May 27, 2026

Patched January 1, 1970

Researcher Unknown CISA KEV Listed

Severity Assessment

Exploitability: 9/10
Impact: 9/10
Weaponization Risk: 8/10
Patch Urgency: 9/10
Detection Coverage: 6/10

CISA added CVE-2026-48027 to KEV on 2026-05-27 with required action due by 2026-06-10. The KEV description and linked GHSA indicate active exploitation potential through a malicious developer-tool distribution path.

Summary

CVE-2026-48027 is tracked as an Nx Console malicious code event where a compromised extension version was published and distributed for a limited window. CISA KEV identifies this as an embedded malicious code vulnerability and references credential-harvesting behavior.

The linked GHSA describes publication and removal timing, affected version details, and remediation guidance, including upgrade and process cleanup actions.

Exploit Chain

Stage 1: Malicious Version Publication

An attacker-published compromised Nx Console version became available through extension distribution channels.

Stage 2: Payload Retrieval and Execution

The compromised extension fetched and executed additional obfuscated payload logic.

Stage 3: Credential Collection

The payload attempted to collect credentials from memory and disk-backed sources as documented in the GHSA.

Detection Guidance

Identify installations of Nx Console 18.95.0 during the affected publication window.
Monitor developer endpoints for suspicious child processes associated with extension runtime execution and scripted exfiltration attempts.
Review outbound connections and local process artifacts after extension startup events on impacted endpoints.

Indicators of Compromise

Nx Console version 18.95.0 present or executed in the exposure window described by GHSA.
Suspicious processes noted by the advisory such as __DAEMONIZED and cat.py.
Evidence of unauthorized access attempts to local/cloud credential material shortly after extension activation.

Disclosure Timeline

2026-05-22 — GHSA advisory details published

GitHub security advisory GHSA-c9j4-9m59-847w documented malicious version exposure, impact, and remediation actions.

2026-05-27 — CISA KEV inclusion

CISA added CVE-2026-48027 to the KEV catalog with a 2026-06-10 required-action deadline.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-27
Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities JSON Feed — Cybersecurity and Infrastructure Security Agency, 2026-05-27
GitHub: GHSA-c9j4-9m59-847w Security Advisory — GitHub, 2026-05-22