A wave of sophisticated supply chain attacks has put millions of software developers on high alert, with threat actors turning everyday developer tools into weapons for stealing credentials, cloud tokens, and source code.
What makes these campaigns especially alarming is how they exploit the very systems developers trust most: their editors, automated pipelines, and version control workflows. In some cases, the malware reached developer machines without any action on their part at all.
The attack unfolded across two interconnected campaigns. In the first, a poisoned version of the widely used Nx Console VS Code extension, version 18.95.0, was pushed to the Visual Studio Code Marketplace on May 18, 2026.
The extension had over 2.2 million installations, meaning the blast radius was immediately enormous. A GitHub employee’s device was among those compromised, which led to the unauthorized access and exfiltration of roughly 3,800 internal GitHub source code repositories.
Analysts at CISA identified the full scope of the threat and published an urgent alert on May 28, 2026, noting that threat actors were targeting CI/CD pipelines, code extensions, and cloud environments in coordinated fashion.
CVE-2026-48027 was assigned to the malicious extension and added to CISA’s Known Exploited Vulnerabilities catalog. CISA said in a report shared with Cyber Security News (CSN). that organizations should treat any machine that ran the compromised extension as fully compromised.
The second campaign, known as “Megalodon,” ran in parallel. On May 18, an automated attacker pushed 5,718 malicious commits to 5,561 public GitHub repositories within a six-hour window.
The injected GitHub Actions workflows harvested CI/CD secrets, cloud credentials, SSH keys, and OIDC tokens, sending everything to a command-and-control server. Both campaigns show how modern software delivery pipelines have become high-value targets for credential-hungry threat actors.
The attacker first stole a contributor’s GitHub personal access token through a prior supply chain incident. Using that token, they planted a hidden orphan commit inside the official nrwl/nx GitHub repository, containing a 498 KB obfuscated JavaScript payload.
They then published the malicious extension to the VS Code Marketplace using stolen publishing credentials, embedding 2,777 bytes of injected code into the extension’s main file.
When any developer opened a workspace with the compromised extension installed, it silently fetched and executed the hidden payload in the background.
The payload ran six credential harvesting modules targeting GitHub tokens, AWS credentials, HashiCorp Vault secrets, Kubernetes configs, npm tokens, and 1Password vaults.
It also installed a Python backdoor on macOS that used the GitHub Search API as a dead-drop to receive signed remote commands, making it difficult to detect with standard firewall monitoring.
Megalodon’s Mass Repository Backdooring
The Megalodon campaign took a different but equally damaging approach. Using throwaway GitHub accounts with forged author identities like build-bot and auto-ci, the attacker pushed malicious workflow files disguised as routine CI maintenance commits.
The workflow names SysDiag and Optimize-Build were designed to look like standard automation tasks, tricking developers who casually reviewed their repository history.
The campaign deployed two payload variants. The mass variant added a new workflow triggered on every push and pull request, while the targeted variant replaced existing workflows with backdoors the attacker could fire on demand via the GitHub API.
One npm package, @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12, carried the targeted variant and was published by the legitimate maintainer from the already-compromised repository without their knowledge.
CISA urges all affected organizations to audit workflow files for suspicious commits made after May 18, 2026, focusing on changes authored by automated accounts.
Any organization that ran the compromised Nx Console extension or found unauthorized workflow changes should conduct a full forensics review of CI/CD logs and cloud audit trails.
All credentials accessible to pipelines must be rotated, including API keys, cloud provider tokens for AWS, GCP, and Azure, SSH keys, Docker and Kubernetes tokens, and developer secrets.
CISA also recommends waiting at least three hours before pulling new packages, pinning dependencies to trusted versions, and only sourcing packages from verified repositories.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| CVE | CVE-2026-48027 | Assigned to malicious Nx Console v18.95.0 |
| Extension Version | nrwl.angular-console v18.95.0 | Compromised VS Code extension version |
| File Hash (SHA-256) | 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 | Malicious VSIX package (v18.95.0) |
| File Hash (SHA-256) | b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 | Malicious main.js inside VSIX |
| File Hash (SHA-256) | e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 | Obfuscated payload (index.js from orphan commit) |
| File Hash (SHA-256) | 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 | Dropper package.json |
| File Hash (SHA-256) | 228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3 | Clean VSIX v18.94.0 (reference) |
| File Hash (SHA-256) | cb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990 | Remediated VSIX v18.100.0 |
| Git SHA | 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 | Malicious orphan commit in nrwl/nx repo |
| Git SHA | ba642fe2c7c65e42dd7f6444b83023dc6827e08c | Orphan commit tree object |
| Git SHA | acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf | index.js blob in orphan commit |
| Git SHA | 9d88f040c44b5f4d5f9db15ff89310776c168e99 | package.json blob in orphan commit |
| Git Commit | acac5a9 | Megalodon malicious commit in tiledesk-server repo |
| C2 IP | 216[.]126[.]225[.]129:8443 | Megalodon C2 server for credential exfiltration |
| Author Email | [email protected] | Forged author identity used in Megalodon commits |
| Author Email | [email protected] | Forged author identity used in Megalodon commits |
| Author Names | build-bot, auto-ci, ci-bot, pipeline-bot | Fake automated author names used in malicious commits |
| npm Package | @tiledesk/tiledesk-server v2.18.6 to v2.18.12 | Compromised npm package containing Megalodon targeted variant |
| Workflow Name | SysDiag | Malicious GitHub Actions workflow (mass variant) |
| Workflow Name | Optimize-Build | Malicious GitHub Actions workflow (targeted/backdoor variant) |
| Network | api.github.com/search/commits?q=firedalazer | Python C2 dead-drop polling endpoint |
| Network | 169.254.169.254 | AWS IMDS credential theft endpoint |
| Network | 169.254.170.2 | ECS container credential endpoint |
| Network | 127.0.0.1:8200 | HashiCorp Vault local endpoint targeted |
| Network | fulcio.sigstore.dev / rekor.sigstore.dev | Targeted for Sigstore attestation forgery |
| File Path (macOS/Linux) | ~/.local/share/kitty/cat.py | Python C2 backdoor file |
| File Path (macOS) | ~/Library/LaunchAgents/com.user.kitty-monitor.plist | macOS LaunchAgent for persistence |
| File Path | /tmp/kitty-* | Temporary persistence staging directory |
| File Path | /var/tmp/.gh_update_state | C2 anti-replay state file |
| File Path (Windows) | %USERPROFILE%.localsharekittycat.py | Python C2 backdoor (Windows path) |
| File Path (Windows) | %USERPROFILE%.bunbinbun.exe | Bun runtime installed for persistence |
| VS Code globalState Key | nxConsole.mcpExtensionInstalledSha set to 558b09d7... | Indicator of payload execution |
| Environment Variable | __DAEMONIZED=1 | Set on running daemon processes post-compromise |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
