The Cybersecurity and Infrastructure Safety Company on Thursday warned that hackers focused software program growth pipelines in current weeks and urged safety groups to test for potential compromise of their environments.
CISA referenced two current campaigns, together with the “Megalodon” provide chain assault and a GitHub compromise by means of a malicious Nx Console Visible Studio Code extension.
The Megalodon assault on Might 18 concerned hackers injecting malicious GitHub Motion workflows into greater than 5,500 open-source repositories, according to a blog post by Step Security. Repositories with weak department safety have been focused, leading to a large-scale theft of cloud credentials, API tokens, SSH keys and different secrets and techniques.
The GitHub assault concerned the compromise of a GitHub worker’s system utilizing a poisoned third-party VS code extension. The assault on the GitHub worker leveraged a earlier compromise of NX developer techniques, CISA stated.
A malicious model of Nx Console, 18.95.0 had been printed on Might 19 and left accessible in Visible Studio Market for about 18 minutes. The difficulty has been assigned CVE-2026-48027, and GitHub launched a related security advisory.
Test for suspicious requests
CISA is urging safety groups to watch and conduct audits on their workflow information and exercise from contributors. Consideration must be paid to suspicious pull requests or direct commits, particularly any coming from an automatic account.
Safety groups ought to revert any unauthorized modifications, CISA suggested, and test for something that got here in after Might 18.
If a compromise is present in reference to a beforehand compromised Nx Console or GitHub account, CISA suggests the next:
- Undertake a forensics overview of steady integration/steady supply logs, impacted developer machines and cloud audit trails.
- Rotate or revoke secrets and techniques, together with credentials, tokens and secrets and techniques associated to CI/CD pipelines.