CISA Warning: Nx Console / GitHub Supply Chain Compromise — CVE-2026-48027 on KEV, Megalodon Campaign Confirmed, Federal Deadline June 10

Primary sources: CISA Official Advisory May 28, 2026 · GitHub CISO Alexis Wales · The Hacker News · Help Net Security · Cybersecurity Dive · SANS ISC Diary (Kenneth Hartman) · Rescana Technical Analysis · Windows Forum · FDAYTalk · Enterprise DNA · Microsoft Security Blog | CVEs: CVE-2026-48027 (Nx Console v18.95.0) · CVE-2026-45321 (TanStack, CVSS 9.6) | Threat actor: TeamPCP / UNC6780 | Campaigns: Mini Shai-Hulud + Megalodon

CISA makes it official — this is a national security event

On May 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency issued a formal advisory titled “Supply Chain Compromises Impact Nx Console and GitHub Repositories” — officially elevating what DataWater first reported on May 21 from a major industry breach to a government-mandated response event. Both CVE-2026-48027 (the malicious Nx Console v18.95.0 extension) and CVE-2026-45321 (the TanStack npm compromise) have been added to CISA’s Known Exploited Vulnerabilities catalog, with a federal remediation deadline of June 10, 2026 under Binding Operational Directive 22-01.

The advisory covers two simultaneous attack campaigns that CISA has now formally linked: the Nx Console / GitHub breach by TeamPCP (UNC6780) as part of the Mini Shai-Hulud operation, and a parallel campaign called Megalodon — a separate operation targeting GitHub Actions workflows to harvest CI/CD secrets, cloud credentials, and tokens at pipeline scale. Together, these represent the most comprehensive documented attack on the software development supply chain since SolarWinds.

New from CISA: the Megalodon campaign

While the Nx Console / GitHub breach received the most public attention, CISA’s advisory formally documents a second simultaneous operation. In Megalodon, attackers injected malicious GitHub Actions workflow files directly into public GitHub repositories — targeting the CI/CD pipeline itself rather than individual developer machines. These workflows were designed to harvest secrets from the pipeline execution environment: CI/CD tokens, cloud credentials (AWS, Azure, GCP), and authentication keys stored in environment variables during pipeline runs, then exfiltrate them to attacker-controlled infrastructure.

CISA specifically flagged a pattern of suspicious commits and pull requests from automated accounts with names including build-bot, auto-ci, ci-bot, and pipeline-bot — the naming conventions used by Megalodon’s automated tooling to blend in with legitimate CI/CD automation accounts. Any such activity modifying workflow files after May 18, 2026 should be treated as a confirmed Megalodon indicator until proven otherwise.

The strategic significance of Megalodon running simultaneously with the Nx Console campaign is architectural: the two operations attacked every layer of the developer trust chain in parallel. The Nx Console attack harvested credentials held locally on developer machines. Megalodon harvested secrets injected at runtime in CI/CD pipelines. An organization that rotated developer machine credentials but did not audit its pipeline workflow files may have incomplete remediation — and credentials exfiltrated through Megalodon still live in attacker hands.

The complete attack chain: TanStack to GitHub’s internal codebase

The CISA advisory combined with technical analyses from Rescana, SANS ISC, and the Microsoft Security Blog now provides a fully documented attack chain across five stages spanning three weeks:

Stage 1 — TanStack GitHub Actions cache poisoning (May 11)

TeamPCP exploited a pull_request_target workflow misconfiguration at TanStack — a common GitHub Actions security gap that grants elevated repository permissions to pull requests from external forks. Through GitHub Actions cache poisoning, they injected a malicious pnpm store into TanStack’s shared workflow cache, gaining CI/CD publishing credentials that allowed them to push 84 malicious versions across 42 @tanstack npm packages simultaneously. The embedded credential-stealing worm propagated to downstream packages in @mistralai, @uipath, @squawk, and guardrails-ai namespaces — none of which were direct targets, all of which were compromised through their dependency on @tanstack packages.

Stage 2 — Narwhal Technologies developer device compromise (May 11–18)

Among the developer machines that installed compromised TanStack packages was one belonging to an employee at Narwhal Technologies — the company behind the Nx build system and Nx Console VS Code extension. That developer’s GitHub token carried publisher access to the Nx Console extension on the Visual Studio Marketplace. TeamPCP extracted this token from the compromised machine, then used it to push a malicious orphan commit and stage the publication of Nx Console v18.95.0.

Stage 3 — The 18-minute VS Code Marketplace window (May 18, 12:30–12:48 UTC)

At 12:30 UTC on May 18, Nx Console v18.95.0 appeared on the Visual Studio Marketplace under the verified nrwl.angular-console publisher badge — giving it immediate automatic trust with VS Code’s update mechanism. For exactly 18 minutes, VS Code silently distributed the malicious build to any machine with Nx Console installed and VS Code running. The Marketplace had no review gate, no update delay, and no pre-publication security scanning. The payload harvested the full credential list above and established a persistent LaunchAgent backdoor on macOS machines. Among the compromised machines was one belonging to a GitHub employee.

Stage 4 — GitHub internal repository exfiltration (May 18–20)

Using credentials from the compromised GitHub employee’s machine, TeamPCP accessed GitHub’s internal infrastructure and exfiltrated approximately 3,800 private repositories. The SANS ISC diary documented an additional escalation not previously publicly reported: TeamPCP simultaneously trojanized an officially Microsoft-published Python SDK during the same window. GitHub CISO Alexis Wales confirmed the breach on May 20. CVE-2026-48027 was assigned to the malicious Nx Console version and added to CISA’s KEV catalog on May 27.

Stage 5 — Megalodon + copycat activity (May 18–28)

Simultaneously with the Nx Console campaign, Megalodon targeted public GitHub repositories with injected Actions workflows, harvesting pipeline-layer secrets at scale. By May 25, SANS ISC documented that TeamPCP had open-sourced its own attack framework on GitHub — effectively publishing its tools for wider adoption. By May 28, Windows Forum confirmed a TeamPCP copycat was already active, hitting thousands of additional GitHub repositories with infostealers derived from the published framework. The campaign is no longer contained to a single threat actor.

TeamPCP’s full 2026 timeline: seven waves, three ecosystems

CISA formally names TeamPCP as the threat actor. The SANS ISC analysis documents seven confirmed attack waves since March 2026, showing the group now operates across npm, PyPI, and VS Code Marketplace simultaneously:

• March 2026 — Trivy (container security scanner) — CI/CD credential theft from security scanning pipelines
• March–April 2026 — Checkmarx KICS Docker images — malicious images distributed via Docker Hub
• April 2026 — LiteLLM · Telnyx · Bitwarden CLI — AI middleware and credential management tools
• April 30, 2026 — PyTorch Lightning — DataWater Article #1; malicious PyPI packages with worm payload
• May 11–14, 2026 — TanStack npm — 84 malicious package versions, 160+ downstream packages infected
• May 18, 2026 — Nx Console VS Code — 18-minute window, GitHub / OpenAI / Mistral AI / Grafana Labs breached
• May 18–28, 2026 — @antv npm + Microsoft Python SDK + open-sourced attack framework + copycat activity

CISA forensic audit checklist — run this now

Developer machine checks

# Check installed Nx Console version
code --list-extensions --show-versions | grep -i nx
# 18.95.0 = compromised · Safe: 18.100.0+

# Check for macOS persistence backdoors (LaunchAgents)
ls -la ~/Library/LaunchAgents/ /Library/LaunchAgents/ /Library/LaunchDaemons/
# Look for entries created ~May 18, 2026

# Check npm token exposure
cat ~/.npmrc | grep authToken

# Check for AWS credential files
ls -la ~/.aws/credentials ~/.aws/config

# Check Claude Code configuration directory for API keys
ls -la ~/.claude/ ~/Library/Application\ Support/claude/

CI/CD pipeline and workflow checks

# Search workflow files for suspicious outbound steps (Megalodon pattern)
grep -r "curl\|wget\|nc \|bash -i\|/dev/tcp" .github/workflows/

# Check git log for unauthorized workflow modifications after May 18
git log --since="2026-05-18" --all -- .github/workflows/

# Search for Megalodon automated account commits
git log --all --since="2026-05-18" | grep -i "build-bot\|auto-ci\|ci-bot\|pipeline-bot"

# Review environment variable access in recent pipeline runs
# Check GitHub Actions → Workflow runs → inspect each run's logs for unexpected steps

Cloud audit trail checks

• AWS: Review CloudTrail for API calls from unfamiliar IPs or at unusual times since May 11, 2026. Check for new IAM users, roles, or access keys created after May 11.
• Azure: Review Activity Log for unauthorized service principal activity or unexpected resource access since May 11.
• GCP: Review Cloud Audit Logs for unexpected service account usage or storage access since May 11.

Full remediation steps

1. Update Nx Console to v18.100.0 or later immediately. VS Code → Extensions → search “Nx Console” → Update. Verify the installed version is 18.100.0+. Do not continue using v18.95.0 under any circumstances.
2. Rotate all credentials on every potentially exposed developer machine. GitHub personal access tokens, GitHub CLI auth, npm tokens, AWS access keys, Azure service principal credentials, GCP service account keys, 1Password vault master password, Claude Code API keys, and SSH private keys. There is no safe subset to skip — the payload specifically targeted all of these categories.
3. Remove macOS persistence backdoors explicitly. Extension removal alone is insufficient. Inspect and remove any LaunchAgent or LaunchDaemon entries created around May 18, 2026. Confirm with an EDR full scan after removal.
4. Disable VS Code extension auto-update as an interim policy. Set extensions.autoUpdate: false and extensions.autoCheckUpdates: false. Review all extension updates manually before applying — this is the single architectural change that would have prevented this attack from reaching GitHub’s infrastructure.
5. Audit all GitHub Actions workflow files for Megalodon-style injection. Run the git log and grep commands above. Revert any workflow file changes from unrecognized automated accounts made after May 18, 2026. Specifically check for injected steps reading environment variables or making outbound network requests.
6. Rotate all CI/CD pipeline secrets in repositories whose pipelines ran after May 18 with access to sensitive environment variables — even if the workflow files themselves were not modified. Megalodon targeted runtime-injected secrets, not just workflow code.
7. Review your published npm and PyPI packages for unexpected version bumps, modified preinstall/postinstall scripts, or new files if any compromised machine had publish access. Yank unauthorized versions immediately and notify downstream users.
8. Federal agencies: comply with BOD 22-01 by June 10, 2026 for both CVE-2026-48027 and CVE-2026-45321. Document remediation status and report to CISA per directive requirements.

The structural lesson: automated trust is the attack surface

CISA’s advisory closes with an observation that the Windows Forum analysis captured best: “The story CISA is telling is bigger than Nx Console, bigger than GitHub, and bigger than any one malicious version number. Attackers are moving further upstream, away from the familiar target of finished packages and toward the automation, editor plugins, identities, and workflow files that decide what software becomes trusted in the first place.”

VS Code auto-update distributed the malicious extension without developer review. GitHub Actions workflows execute automatically on push events. npm install scripts run without sandboxing by default. CI/CD pipelines inject secrets into environment variables accessible to any workflow step. Each of these automation features is rational and valuable. Each of them was weaponized in this campaign. The next phase of supply chain defense requires making the automated path narrower, more observable, and less generous with secrets — before the next poisoned update or bot-shaped commit turns routine engineering into the initial access vector for the next major breach.

Sources and further reading

• CISA — Official Advisory: Supply Chain Compromises Impact Nx Console and GitHub Repositories (May 28, 2026)
• The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
• Help Net Security — TeamPCP Breached GitHub’s Internal Codebase via Poisoned VS Code Extension
• Cybersecurity Dive — CISA Urges Security Teams to Check for Software Development Compromises
• SANS ISC Diary — TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 (Kenneth Hartman)
• Rescana — GitHub Breach via Compromised Nx Console: Full Technical Analysis
• Windows Forum — CISA Warns: Poisoned VS Code Extensions and Megalodon Workflows Hit Build Systems
• FDAYTalk — CISA Warns of GitHub and Nx Console Supply Chain Attack
• Enterprise DNA — GitHub’s 3,800-Repo Breach: A Supply Chain Warning

DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #18 — May 29, 2026. This article supersedes and expands Article #15 (May 21). Previous: CVE-2026-34926 Trend Micro Apex One (May 26) · Verizon DBIR 2026 (May 26) · MiniPlasma Windows zero-day (May 19) · CVE-2026-42897 Exchange OWA (May 19) · Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16).