## Supply Chain Under Siege: CISA Responds to Emerging Threats **CISA** is raising concerns about multiple emerging software supply chain intrusion campaigns specifically targeting developer ecosystems and Continuous Integration/Continuous Development (CI/CD) pipelines. These attacks are exploiting vulnerabilities in tools and processes that support enterprise, cloud, and DevOps environments. ### GitHub Compromised via Malicious VS Code Extension Threat actors leveraged a prior compromise of **Nx** developer systems to compromise a **GitHub** employee's device through a poisoned third-party VS Code extension. This resulted in unauthorized access and exfiltration of internal **GitHub** repositories. The malicious extension, version 18.95.0 of **Nx Console**, was distributed via VS Code's automatic update mechanism. Systems with **Nx Console** previously installed may have received the malicious build without any manual action from developers. **GitHub** released a [security advisory](https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w) regarding this incident, and **CVE-2026-48027** has been assigned to the malicious version of **Nx Console** and added to **CISA’s Known Exploited Vulnerabilities (KEV) Catalog**. ### 'Megalodon' Campaign: Injecting Malicious Workflows In a campaign dubbed 'Megalodon,' threat actors injected malicious **GitHub** Action workflows to harvest CI/CD secrets, cloud credentials, and tokens. This impacted both development and deployment pipelines in public **GitHub** repositories. ### CISA's Recommendations for Detection and Remediation **CISA** urges organizations to implement the following recommendations to detect and remediate potential compromises: * Monitor and audit workflow files and contributor activity for suspicious pull requests and direct commits, especially those authored by automated accounts. * Revert unauthorized changes, particularly those from automated accounts (e.g., `build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`), especially those made after May 18, 2026. ### Incident Response Steps If your organization discovers a compromise resulting from previously compromised **GitHub** or **Nx Console** software, **CISA** recommends these steps: * Conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines. * Rotate/revoke all secrets, including credentials, tokens, and secrets accessible to CI/CD pipelines, such as API keys, cloud provider credentials (**Amazon Web Services**, **Google Cloud Platform**, **Microsoft Azure**), SSH keys, **Docker**/**npm**/**PyPI**/**Vault**/**Terraform**/**Kubernetes** tokens, **GitHub**/**GitLab**/**Bitbucket** tokens, and developer or pipeline secrets. * Notify relevant stakeholders as necessary. ### Best Practices for Package Repositories **CISA** recommends these best practices for using package repositories: * Wait at least three hours before pulling a new package to allow the software community time to identify suspicious or malicious packages. * Pin software to specific trusted versions to prevent pulling a malicious or unscreened package during the build process. * Only pull packages from known and trusted sources to reduce the likelihood of downloading a maliciously forked package. ### Resources Refer to these resources for more information on these compromises: * GitHub: [Investigating unauthorized access to GitHub-owned repositories](https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/) * Nx: [Postmortem: Nx Console v18.95.0 supply-chain compromise](https://nx.dev/blog/nx-console-v18-95-0-postmortem) * Ox Security: [Megalodon: CI/CD Malware Spreading Across GitHub Repositories](https://www.ox.security/blog/megalodon-cicd-malware-github/) * StepSecurity: [Nx Console VS Code Extension Compromised](https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised#indicators-of-compromise) * SafeDep: [Megalodon: Mass GitHub Repo Backdooring via CI Workflows](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) ## Disclaimer The information in this report is provided “as is” for informational purposes only. **CISA** does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.