HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Supply Chain Compromise via Malicious Nx Console VS Code Extension (CVE‑2026‑48027) Threatens CI/CD Pipelines and GitHub Repositories

CISA reports that a malicious Nx Console VS Code extension (CVE‑2026‑48027) was distributed via automatic updates, enabling attackers to compromise a GitHub employee’s device and exfiltrate internal repositories. A concurrent “Megalodon” campaign injected malicious GitHub Action workflows to steal CI/CD secrets, posing a broad supply‑chain risk for developers and their downstream vendors.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
cisa.gov

Critical Supply Chain Compromise via Malicious Nx Console VS Code Extension (CVE‑2026‑48027) Threatens CI/CD Pipelines and GitHub Repositories

What It Is — A malicious version of the Nx Console extension for Visual Studio Code (v18.95.0) was pushed through VS Code’s automatic update channel, giving threat actors a foothold on developer workstations. The compromised extension was used to access a GitHub employee’s device and exfiltrate internal repositories. In parallel, the “Megalodon” campaign injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens from public and private repositories.

Exploitability — The vulnerability is actively exploited in the wild; CISA has assigned CVE‑2026‑48027 and added it to the Known Exploited Vulnerabilities (KEV) catalog. No separate proof‑of‑concept is required beyond the malicious extension distribution.

Affected Products — Nx Console VS Code extension (v18.95.0); GitHub repositories and GitHub Actions workflows; any CI/CD pipelines that consume the compromised extension or run the injected actions.

TPRM Impact — Supply‑chain intrusion can cascade to downstream vendors, exposing secrets that power cloud, SaaS, and on‑prem deployments. Third‑party risk assessments must now evaluate the integrity of developer tooling, the trustworthiness of third‑party extensions, and the potential for credential leakage across the software supply chain.

Recommended Actions

  • Immediately block and uninstall Nx Console v18.95.0 from all developer machines.
  • Audit all GitHub Action workflow files for unauthorized changes, focusing on commits from automated accounts (build‑bot, ci‑bot, pipeline‑bot, etc.) after May 18 2026.
  • Revoke and rotate every secret used in CI/CD pipelines: API keys, cloud provider credentials (AWS, GCP, Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, and GitHub/GitLab/Bitbucket tokens.
  • Conduct a forensic review of CI/CD logs, cloud audit trails, and affected developer endpoints.
  • Adopt supply‑chain hardening best practices: enforce a minimum three‑hour delay before pulling new packages and pin dependencies to known‑good versions.

Source: CISA Advisory – Supply Chain Compromises Impact Nx Console and GitHub Repositories

📰 Original Source
https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →