Critical Supply Chain Compromise via Malicious Nx Console VS Code Extension (CVE‑2026‑48027) Threatens CI/CD Pipelines and GitHub Repositories
What It Is — A malicious version of the Nx Console extension for Visual Studio Code (v18.95.0) was pushed through VS Code’s automatic update channel, giving threat actors a foothold on developer workstations. The compromised extension was used to access a GitHub employee’s device and exfiltrate internal repositories. In parallel, the “Megalodon” campaign injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens from public and private repositories.
Exploitability — The vulnerability is actively exploited in the wild; CISA has assigned CVE‑2026‑48027 and added it to the Known Exploited Vulnerabilities (KEV) catalog. No separate proof‑of‑concept is required beyond the malicious extension distribution.
Affected Products — Nx Console VS Code extension (v18.95.0); GitHub repositories and GitHub Actions workflows; any CI/CD pipelines that consume the compromised extension or run the injected actions.
TPRM Impact — Supply‑chain intrusion can cascade to downstream vendors, exposing secrets that power cloud, SaaS, and on‑prem deployments. Third‑party risk assessments must now evaluate the integrity of developer tooling, the trustworthiness of third‑party extensions, and the potential for credential leakage across the software supply chain.
Recommended Actions —
- Immediately block and uninstall Nx Console v18.95.0 from all developer machines.
- Audit all GitHub Action workflow files for unauthorized changes, focusing on commits from automated accounts (
build‑bot,ci‑bot,pipeline‑bot, etc.) after May 18 2026. - Revoke and rotate every secret used in CI/CD pipelines: API keys, cloud provider credentials (AWS, GCP, Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, and GitHub/GitLab/Bitbucket tokens.
- Conduct a forensic review of CI/CD logs, cloud audit trails, and affected developer endpoints.
- Adopt supply‑chain hardening best practices: enforce a minimum three‑hour delay before pulling new packages and pin dependencies to known‑good versions.
Source: CISA Advisory – Supply Chain Compromises Impact Nx Console and GitHub Repositories