CISA Warning: Nx Console / GitHub Supply Chain Compromise — CVE-2026-48027 on KEV, Megalodon Campaign Confirmed, Federal Deadline June 10
build-bot · auto-ci · ci-bot · pipeline-bot.
Primary sources: CISA Official Advisory May 28, 2026 · GitHub CISO Alexis Wales · The Hacker News · Help Net Security · Cybersecurity Dive · SANS ISC Diary (Kenneth Hartman) · Rescana Technical Analysis · Windows Forum · FDAYTalk · Enterprise DNA · Microsoft Security Blog | CVEs: CVE-2026-48027 (Nx Console v18.95.0) · CVE-2026-45321 (TanStack, CVSS 9.6) | Threat actor: TeamPCP / UNC6780 | Campaigns: Mini Shai-Hulud + Megalodon
CISA makes it official — this is a national security event
On May 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency issued a formal advisory titled “Supply Chain Compromises Impact Nx Console and GitHub Repositories” — officially elevating what DataWater first reported on May 21 from a major industry breach to a government-mandated response event. Both CVE-2026-48027 (the malicious Nx Console v18.95.0 extension) and CVE-2026-45321 (the TanStack npm compromise) have been added to CISA’s Known Exploited Vulnerabilities catalog, with a federal remediation deadline of June 10, 2026 under Binding Operational Directive 22-01.
The advisory covers two simultaneous attack campaigns that CISA has now formally linked: the Nx Console / GitHub breach by TeamPCP (UNC6780) as part of the Mini Shai-Hulud operation, and a parallel campaign called Megalodon — a separate operation targeting GitHub Actions workflows to harvest CI/CD secrets, cloud credentials, and tokens at pipeline scale. This campaign is the culmination of a months-long attacker operation that DataWater first documented when it targeted PyTorch Lightning on April 30 and then BufferZoneCorp’s Ruby gems and Go modules on May 2. Together, these represent the most comprehensive documented attack on the software development supply chain since SolarWinds.
| Field | Detail |
|---|---|
| CISA Advisory date | May 28, 2026 |
| CVE-2026-48027 | Malicious Nx Console v18.95.0 — CISA KEV added May 27, 2026 |
| CVE-2026-45321 | TanStack npm supply chain compromise — CVSS 9.6 Critical |
| Federal deadline | June 10, 2026 (BOD 22-01) |
| Threat actor | TeamPCP — Google TIG tracks as UNC6780 |
| Campaign 1 | Mini Shai-Hulud — VS Code extension + npm ecosystem compromise |
| Campaign 2 | Megalodon — GitHub Actions workflow injection targeting CI/CD pipelines |
| Malicious extension | Nx Console v18.95.0 · publisher: nrwl.angular-console · verified publisher badge |
| Live window | 18 minutes — May 18, 2026, 12:30–12:48 UTC |
| Install base exposed | ~2.2 million Nx Console installs |
| GitHub breach scope | ~3,800 internal repositories exfiltrated |
| Confirmed victims | GitHub · OpenAI · Mistral AI · Grafana Labs · UiPath · Guardrails AI · OpenSearch |
| Credentials targeted | GitHub tokens · AWS · npm · 1Password · Claude Code · Azure / GCP · CI/CD secrets · SSH keys · macOS Keychain |
| macOS persistence | Yes — LaunchAgent backdoor survives extension removal |
| Copycat activity | TeamPCP open-sourced its attack framework; copycat groups actively hitting GitHub repos as of May 28 |
| Safe Nx Console version | v18.100.0 or later |
New from CISA: the Megalodon campaign
While the Nx Console / GitHub breach received the most public attention, CISA’s advisory formally documents a second simultaneous operation. In Megalodon, attackers injected malicious GitHub Actions workflow files directly into public GitHub repositories — targeting the CI/CD pipeline itself rather than individual developer machines. These workflows were designed to harvest secrets from the pipeline execution environment: CI/CD tokens, cloud credentials (AWS, Azure, GCP), and authentication keys stored in environment variables during pipeline runs, then exfiltrate them to attacker-controlled infrastructure.
CISA specifically flagged a pattern of suspicious commits and pull requests from automated accounts with names including build-bot, auto-ci, ci-bot, and pipeline-bot. Any such activity modifying workflow files after May 18, 2026 should be treated as a confirmed Megalodon indicator until proven otherwise. This type of CI/CD credential harvesting is exactly what DataWater described in our deep-dive on secrets management failures in enterprise infrastructure — credentials injected into pipeline environment variables are among the most consistently over-exposed and under-protected assets in software organizations.
The strategic significance of Megalodon running simultaneously with the Nx Console campaign is architectural: the two operations attacked every layer of the developer trust chain in parallel. The Nx Console attack harvested credentials held locally on developer machines. Megalodon harvested secrets injected at runtime in CI/CD pipelines. An organization that rotated developer machine credentials but did not audit its pipeline workflow files may have incomplete remediation. This two-layer approach is consistent with the third-party and supply chain risk patterns we document — attackers increasingly chain multiple trust relationships to maximize credential coverage.
The complete attack chain: TanStack to GitHub’s internal codebase
The CISA advisory combined with technical analyses from Rescana, SANS ISC, and the Microsoft Security Blog now provides a fully documented attack chain across five stages spanning three weeks. DataWater covered the full original technical breakdown in our May 21 article on how the TanStack → Nx Console → GitHub cascade unfolded:
Stage 1 — TanStack GitHub Actions cache poisoning (May 11)
TeamPCP exploited a pull_request_target workflow misconfiguration at TanStack — a common GitHub Actions security gap that grants elevated repository permissions to pull requests from external forks. Through GitHub Actions cache poisoning, they injected a malicious pnpm store into TanStack’s shared workflow cache, gaining CI/CD publishing credentials that allowed them to push 84 malicious versions across 42 @tanstack npm packages simultaneously. The embedded credential-stealing worm propagated to downstream packages in @mistralai, @uipath, @squawk, and guardrails-ai namespaces. The application security posture management blind spot that enabled this: organizations have extensive visibility into their own code, but near-zero visibility into the security posture of their transitive dependencies.
Stage 2 — Narwhal Technologies developer device compromise (May 11–18)
Among the developer machines that installed compromised TanStack packages was one belonging to an employee at Narwhal Technologies — the company behind the Nx build system and Nx Console VS Code extension. That developer’s GitHub token carried publisher access to the Nx Console extension on the Visual Studio Marketplace. TeamPCP extracted this token from the compromised machine, then used it to push a malicious orphan commit and stage the publication of Nx Console v18.95.0.
Stage 3 — The 18-minute VS Code Marketplace window (May 18, 12:30–12:48 UTC)
At 12:30 UTC on May 18, Nx Console v18.95.0 appeared on the Visual Studio Marketplace under the verified nrwl.angular-console publisher badge — giving it immediate automatic trust with VS Code’s update mechanism. For exactly 18 minutes, VS Code silently distributed the malicious build to any machine with Nx Console installed and VS Code running. The payload harvested the full credential list above and established a persistent LaunchAgent backdoor on macOS machines. Among the compromised machines was one belonging to a GitHub employee. The Glassworm botnet takedown documented earlier shows the same pattern: VS Code extension ecosystems are an increasingly weaponized distribution channel.
Stage 4 — GitHub internal repository exfiltration (May 18–20)
Using credentials from the compromised GitHub employee’s machine, TeamPCP accessed GitHub’s internal infrastructure and exfiltrated approximately 3,800 private repositories. The SANS ISC diary documented an additional escalation not previously publicly reported: TeamPCP simultaneously trojanized an officially Microsoft-published Python SDK during the same window. GitHub CISO Alexis Wales confirmed the breach on May 20. CVE-2026-48027 was assigned to the malicious Nx Console version and added to CISA’s KEV catalog on May 27.
Stage 5 — Megalodon + copycat activity (May 18–28)
Simultaneously with the Nx Console campaign, Megalodon targeted public GitHub repositories with injected Actions workflows, harvesting pipeline-layer secrets at scale. By May 25, SANS ISC documented that TeamPCP had open-sourced its own attack framework on GitHub — effectively publishing its tools for wider adoption. By May 28, Windows Forum confirmed a TeamPCP copycat was already active, hitting thousands of additional GitHub repositories with infostealers derived from the published framework. The campaign is no longer contained to a single threat actor.
TeamPCP’s full 2026 timeline: seven waves, three ecosystems
CISA formally names TeamPCP as the threat actor. The SANS ISC analysis documents seven confirmed attack waves since March 2026, showing the group now operates across npm, PyPI, and VS Code Marketplace simultaneously. DataWater has covered three of these waves directly:
- March 2026 — Trivy (container security scanner) — CI/CD credential theft from security scanning pipelines
- March–April 2026 — Checkmarx KICS Docker images — malicious images distributed via Docker Hub
- April 2026 — LiteLLM · Telnyx · Bitwarden CLI — AI middleware and credential management tools
- April 30, 2026 — PyTorch Lightning — DataWater Article #1; malicious PyPI packages with worm payload
- May 2, 2026 — BufferZoneCorp Ruby gems and Go modules — DataWater Article #3; CI/CD pipeline credential drain
- May 11–14, 2026 — TanStack npm — 84 malicious package versions, 160+ downstream packages infected
- May 18, 2026 — Nx Console VS Code — 18-minute window, GitHub / OpenAI / Mistral AI / Grafana Labs breached
- May 18–28, 2026 — @antv npm + Microsoft Python SDK + open-sourced attack framework + copycat activity
CISA’s full credential targeting list
CISA’s advisory provides the most comprehensive published list of credential categories targeted across both campaigns. Treat any of the following as potentially compromised if you had exposure. For a broader framework on why credential sprawl enables this type of mass-harvest attack, see our analysis of hidden IAM gaps and credential sprawl in enterprise environments:
- GitHub personal access tokens and GitHub CLI authentication
- npm authentication tokens — enabling further supply chain propagation
- AWS access keys and secret keys
- Azure service principal credentials
- GCP service account keys and application default credentials
- 1Password vault access — swept for all secrets in the developer’s vault
- Anthropic Claude Code configurations — API keys and project secrets
- CI/CD pipeline secrets — GitHub Actions secrets, repository-level tokens
- SSH private keys from
~/.ssh/ - macOS Keychain contents — on compromised macOS machines
CISA forensic audit checklist — run this now
Developer machine checks
# Check installed Nx Console version
code --list-extensions --show-versions | grep -i nx
# 18.95.0 = compromised · Safe: 18.100.0+
# Check for macOS persistence backdoors (LaunchAgents)
ls -la ~/Library/LaunchAgents/ /Library/LaunchAgents/ /Library/LaunchDaemons/
# Look for entries created ~May 18, 2026
# Check npm token exposure
cat ~/.npmrc | grep authToken
# Check for AWS credential files
ls -la ~/.aws/credentials ~/.aws/config
# Check Claude Code configuration directory for API keys
ls -la ~/.claude/ ~/Library/Application\ Support/claude/CI/CD pipeline and workflow checks
# Search workflow files for suspicious outbound steps (Megalodon pattern)
grep -r "curl\|wget\|nc \|bash -i\|/dev/tcp" .github/workflows/
# Check git log for unauthorized workflow modifications after May 18
git log --since="2026-05-18" --all -- .github/workflows/
# Search for Megalodon automated account commits
git log --all --since="2026-05-18" | grep -i "build-bot\|auto-ci\|ci-bot\|pipeline-bot"Cloud audit trail checks
- AWS: Review CloudTrail for API calls from unfamiliar IPs or at unusual times since May 11, 2026. Check for new IAM users, roles, or access keys created after May 11.
- Azure: Review Activity Log for unauthorized service principal activity or unexpected resource access since May 11.
- GCP: Review Cloud Audit Logs for unexpected service account usage or storage access since May 11.
Full remediation steps
- Update Nx Console to v18.100.0 or later immediately. VS Code → Extensions → search “Nx Console” → Update. Verify the installed version is 18.100.0+.
- Rotate all credentials on every potentially exposed developer machine. GitHub personal access tokens, GitHub CLI auth, npm tokens, AWS access keys, Azure service principal credentials, GCP service account keys, 1Password vault master password, Claude Code API keys, and SSH private keys. There is no safe subset to skip.
- Remove macOS persistence backdoors explicitly. Extension removal alone is insufficient. Inspect and remove any LaunchAgent or LaunchDaemon entries created around May 18, 2026.
- Disable VS Code extension auto-update as an interim policy. Set
extensions.autoUpdate: falseandextensions.autoCheckUpdates: false. This is the single architectural change that would have prevented this attack from reaching GitHub’s infrastructure. - Audit all GitHub Actions workflow files for Megalodon-style injection. Run the git log and grep commands above. Revert any workflow file changes from unrecognized automated accounts made after May 18, 2026.
- Rotate all CI/CD pipeline secrets in repositories whose pipelines ran after May 18 with access to sensitive environment variables — even if the workflow files were not modified.
- Review your published npm and PyPI packages for unexpected version bumps or modified install scripts if any compromised machine had publish access. Yank unauthorized versions immediately. See our earlier coverage of how the PyTorch Lightning worm self-propagated through stolen npm tokens for context on why this step is critical.
- Federal agencies: comply with BOD 22-01 by June 10, 2026 for both CVE-2026-48027 and CVE-2026-45321.
The structural lesson: automated trust is the attack surface
CISA’s advisory closes with an observation that the Windows Forum analysis captured best: attackers are moving further upstream, away from the familiar target of finished packages and toward the automation, editor plugins, identities, and workflow files that decide what software becomes trusted in the first place. VS Code auto-update distributed the malicious extension without developer review. GitHub Actions workflows execute automatically on push events. npm install scripts run without sandboxing by default. CI/CD pipelines inject secrets into environment variables accessible to any workflow step.
The Verizon DBIR 2026 found supply chain attacks now account for 30% of all breaches, doubled from the prior year. The AI-acceleration of offensive tooling is compressing exploitation timelines further. The next phase of supply chain defense requires making the automated path narrower, more observable, and less generous with secrets — before the next poisoned update turns routine engineering into the initial access vector for the next major breach. For organizations building a systematic response, our analysis of third-party and supply chain cyber risk provides the vendor risk management framework that this incident validates.
🔗 Related DataWater Coverage
- → TanStack → Nx Console → GitHub — How One Poisoned VS Code Extension Breached GitHub, OpenAI & Mistral AI in 18 Minutes (original May 21 coverage)
- → PyTorch Lightning Supply Chain Attack — Mini Shai-Hulud Campaign’s First Strike, April 30
- → BufferZoneCorp: Poisoned Ruby Gems & Go Modules — CI/CD Pipeline Credential Drain, May 2
- → Glassworm Takedown — How CrowdStrike, Google & Shadowserver Killed the “Unkillable” Developer Botnet
- → Verizon DBIR 2026 — Supply Chain Attacks Doubled, Exploitation Now #1 Breach Vector
- → CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — CISA KEV, Two Attack Waves, June 19 Deadline
- → CVE-2026-34926: Trend Micro Apex One Zero-Day — Attackers Push Malware to Every Endpoint, CISA KEV June 4
- → Secrets Management — The Silent Security Failure Hiding in Code, Pipelines & Cloud Infrastructure
- → Third-Party & Supply Chain Cyber Risk — How Vendor Exposure Triggers Enterprise Breaches
- → Hidden IAM Gaps — Over-Provisioned Access, Weak Auth & Credential Sprawl Putting Enterprises at Risk
- → Browse the full DataWater threat intelligence archive →
Sources and further reading
- CISA — Official Advisory: Supply Chain Compromises Impact Nx Console and GitHub Repositories (May 28, 2026)
- The Hacker News — GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
- Help Net Security — TeamPCP Breached GitHub’s Internal Codebase via Poisoned VS Code Extension
- Cybersecurity Dive — CISA Urges Security Teams to Check for Software Development Compromises
- SANS ISC Diary — TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 (Kenneth Hartman)
- Rescana — GitHub Breach via Compromised Nx Console: Full Technical Analysis
- Windows Forum — CISA Warns: Poisoned VS Code Extensions and Megalodon Workflows Hit Build Systems
- FDAYTalk — CISA Warns of GitHub and Nx Console Supply Chain Attack
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #18 — May 29, 2026. This article supersedes and expands Article #15 (May 21). Previous: CVE-2026-34926 Trend Micro Apex One (May 26) · Verizon DBIR 2026 (May 26) · MiniPlasma Windows zero-day (May 19) · CVE-2026-42897 Exchange OWA (May 19) · Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN (May 16).
