Supply Chain Compromises Impact Nx Console and GitHub Repositories

Published:

28 mei 2026 om 12:00:00

Alert date:

28 mei 2026 om 20:05:25

Source:

cisa.gov

Supply Chain & Dependencies, Enterprise Applications

CISA reports multiple supply chain attacks targeting developer ecosystems and CI/CD pipelines. Threat actors compromised Nx developer systems and used a malicious Nx Console VS Code extension (version 18.95.0) to compromise a GitHub employee's device, leading to unauthorized access and data exfiltration from internal GitHub repositories. A separate campaign called 'Megalodon' involved injecting malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens from public repositories. The malicious extension was distributed through VS Code's automatic update mechanism, affecting systems without manual intervention. CVE-2026-48027 has been assigned and added to CISA's Known Exploited Vulnerabilities Catalog.

Technical details

Mitigation steps:

Affected products:

Nx Console
GitHub
Visual Studio Code

Related links:

https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
https://www.cve.org/CVERecord?id=CVE-2026-48027
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/
https://nx.dev/blog/nx-console-v18-95-0-postmortem
https://www.ox.security/blog/megalodon-cicd-malware-github/
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised#indicators-of-compromise
https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/

Related CVE's:

CVE-2026-48027

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.