CISA adds CVE-2026-48027 to KEV as Nx Console, GitHub CI/CD attacks widen

Two supply-chain campaigns are now running concurrently, and CISA's classification of both under its active response posture means the KEV addition is the floor, not the ceiling, of what's required.

How the Nx-to-GitHub chain worked

Threat actors first compromised Nx developer systems, then used access obtained there to push a malicious build of the Nx Console VS Code extension, version 18.95.0. That build was served through VS Code's native auto-update mechanism. Any system that had Nx Console previously installed received the malicious version without a developer touching anything. From there, the poisoned extension reached a GitHub employee's device, giving attackers a foothold into internal GitHub repositories. CVE-2026-48027 covers this specific version; it is now on the KEV Catalog, which carries a mandatory remediation obligation for all federal civilian executive branch agencies under Binding Operational Directive 22-01.

Contractors, managed service providers, and subs operating in environments with FISMA, FedRAMP, or CMMC obligations should treat the KEV addition as a compliance trigger, not just a vendor advisory.

Megalodon runs a separate track

The second campaign, "Megalodon," operates independently of the Nx vector. Attackers injected malicious GitHub Actions workflow files into public repositories to harvest CI/CD secrets: cloud provider credentials for AWS, GCP, and Azure; SSH keys; Docker, npm, PyPI, Vault, Terraform, and Kubernetes tokens; and GitHub, GitLab, and Bitbucket tokens. Automated accounts using names like build-bot, auto-ci, ci-bot, and pipeline-bot are flagged as indicators; CISA specifically calls out suspicious commits made after May 18, 2026.

The two campaigns share a common mechanism: both treat CI/CD infrastructure as a secret-harvesting substrate rather than a code-delivery vehicle. Credentials accessible to a pipeline runner are exfiltrated automatically, without any subsequent human interaction.

What practitioners do now

CISA's remediation guidance is explicit and not optional for organizations that discover a compromise:

• Rotate and revoke all secrets accessible to any CI/CD pipeline. The list is not a suggestion: API keys, AWS/GCP/Azure credentials, SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and any developer or pipeline secret.
• Pull CI/CD logs, cloud audit trails, and affected developer machine forensics before rotating, so the rotation doesn't destroy the evidentiary record.
• Audit workflow files for unauthorized commits, especially from automated accounts, and revert anything added after May 18, 2026 that wasn't explicitly authorized.

For organizations not yet compromised, CISA recommends pinning dependencies to specific trusted versions, waiting at least three hours before pulling new packages to allow community detection of malicious builds, and restricting pulls to known and trusted sources.

The pattern, counted

This is the third major supply-chain attack targeting developer tooling in six months. The vector has shifted: the earlier campaigns hit package managers directly; these two hit the extension ecosystem and the workflow layer of CI/CD platforms. The auto-update mechanism that makes developer tooling convenient is the same mechanism that removed any manual step from the infection chain here. CISA has not yet published scope details on which GitHub repositories were accessed or how long the Nx Console poisoning campaign was active before detection. Until those answers are public, any organization whose pipelines touched Nx Console or public GitHub Actions workflows in the relevant window should assume the worst and rotate accordingly.