The Cybersecurity and Infrastructure Security Agency on Thursday warned that hackers targeted software development pipelines in recent weeks and urged security teams to check for potential compromise of their environments.
CISA referenced two recent campaigns, including the “Megalodon” supply chain attack and a GitHub compromise through a malicious Nx Console Visual Studio Code extension.
The Megalodon attack on May 18 involved hackers injecting malicious GitHub Action workflows into more than 5,500 open-source repositories, according to a blog post by Step Security. Repositories with weak branch protection were targeted, resulting in a large-scale theft of cloud credentials, API tokens, SSH keys and other secrets.
The GitHub attack involved the compromise of a GitHub employee’s device using a poisoned third-party VS code extension. The attack on the GitHub employee leveraged a previous compromise of NX developer systems, CISA said.
A malicious version of Nx Console, 18.95.0 had been published on May 19 and left available in Visual Studio Marketplace for about 18 minutes. The issue has been assigned CVE-2026-48027, and GitHub released a related security advisory.
Check for suspicious requests
CISA is urging security teams to monitor and conduct audits on their workflow files and activity from contributors. Attention should be paid to suspicious pull requests or direct commits, specifically any coming from an automated account.
Security teams should revert any unauthorized changes, CISA advised, and check for anything that came in after May 18.
If a compromise is found in connection with a previously compromised Nx Console or GitHub account, CISA suggests the following:
- Undertake a forensics review of continuous integration/continuous delivery logs, impacted developer machines and cloud audit trails.
- Rotate or revoke secrets, including credentials, tokens and secrets related to CI/CD pipelines.
