CISA warns that Nx Console and GitHub repositories abused in multiple supply chain compromises – tools across enterprise, cloud, and DevOps environments exploited

News
By published

The agency is giving practical advice

A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it
(Image credit: Getty Images)
  • CISA issued an alert on ongoing supply chain attacks abusing GitHub repos via a malicious Nx Console VSCode extension and the Megalodon campaign
  • Threat actors stole CI/CD secrets, cloud credentials, and tokens by poisoning workflows, prompting CISA to urge audits of contributor activity and workflow files
  • Recommended mitigations include forensic reviews, rotating/revoking all pipeline secrets, pinning trusted package versions, and delaying pulls to allow community detection

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning about multiple ongoing supply chain attacks and is urging developers and open-source platform users to apply mitigations and secure their environments.

In a news alert published earlier this week, the agency warned about attacks on GitHub repos via a malicious Nx Console Visual Studio Code (VSCode) extension, as well as the Megalodon supply chain campaign. It said these attacks show “how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments - specifically CI/CD pipelines, code extensions, and workflows.”

By abusing an earlier compromise of Nx developer systems, threat actors were able to compromise a GitHub employee’s device through a poisoned third-party VSCode extension, accessing their repositories and stealing sensitive information found within.

Latest Videos From

CISA's advice

In Megalodon, hackers injected malicious GitHub Action workflows to steal CI/CD secrets, cloud credentials, and tokens, CISA said.

With that in mind, it urged organizations to monitor and audit workflow files and contributor activity and revert any unauthorized changes.

Organizations that discover a breach from a previously compromised GitHub or Nx Console software should conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines, and rotate/revoke all secrets (that includes all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets).

For using package repositories, CISA recommends waiting at least three hours before pulling a new package, to give the community enough time to spot any suspicious or malicious commits. It also recommends pinning software to specific trusted versions and only pulling packages from known and trusted sources.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.