{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48027"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nx Console"],"_cs_severities":["high"],"_cs_tags":["supply-chain","credential-theft","cve"],"_cs_type":"advisory","_cs_vendors":["Nx"],"content_html":"\u003cp\u003eNx Console, a popular extension, was compromised when a malicious version was published containing embedded malicious code. This vulnerability, identified as CVE-2026-48027, enabled the compromised extension to fetch an obfuscated payload. This payload was designed to harvest credentials from various sources, including both on-disk locations and in-memory storage. The incident highlights the supply chain risks associated with software extensions and the potential for credential theft when such extensions are compromised. Defenders should apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs the legitimate Nx Console extension from the marketplace.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes a malicious version of the Nx Console extension, exploiting CVE-2026-48027.\u003c/li\u003e\n\u003cli\u003eThe developer\u0026rsquo;s IDE automatically updates to the malicious version of the extension.\u003c/li\u003e\n\u003cli\u003eThe malicious extension executes and fetches an obfuscated payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe obfuscated payload is executed within the context of the IDE.\u003c/li\u003e\n\u003cli\u003eThe payload begins scanning the file system for common credential storage locations (e.g., .env files, configuration files).\u003c/li\u003e\n\u003cli\u003eThe payload also attempts to extract credentials from the IDE\u0026rsquo;s memory space, potentially targeting stored API keys and tokens.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials are exfiltrated to a remote server controlled by the attacker, potentially leading to unauthorized access to sensitive systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Nx Console extension led to the potential harvesting of credentials from developers\u0026rsquo; machines. The number of affected users is currently unknown. Successful exploitation could lead to unauthorized access to source code repositories, cloud infrastructure, and other sensitive resources. The open-source component, third-party library, protocol, or proprietary implementation could be used by different products, expanding the scope of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable as outlined in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from IDE processes for suspicious outbound traffic, which may indicate exfiltration attempts as part of the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Outbound Connection from VSCode Extension\u0026rdquo; to detect potential data exfiltration from VSCode extensions.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and audit logging to detect the execution of unusual or obfuscated payloads within the IDE context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T17:41:19Z","date_published":"2026-05-27T17:41:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nx-console-credential-harvesting/","summary":"Nx Console contained an embedded malicious code vulnerability (CVE-2026-48027) which allowed a malicious version of the extension to be published and harvest credentials from disk and memory.","title":"Nx Console Compromised Extension Harvesting Credentials (CVE-2026-48027)","url":"https://feed.craftedsignal.io/briefs/2026-05-nx-console-credential-harvesting/"}],"language":"en","title":"CraftedSignal Threat Feed — Nx","version":"https://jsonfeed.org/version/1.1"}