Attackers Abuse Trusted Developer Tools to Steal Source Code and Secrets

Attackers are increasingly targeting the tools developers use every day, including code editors, CI/CD pipelines, package registries, and GitHub workflows. Recent incidents involving Nx Console, GitHub, and the Megalodon campaign show how trusted developer infrastructure can become a direct path to source code and secrets.

CISA warned on May 28, 2026, that threat actors are abusing development tools, code extensions, cloud environments, and CI/CD systems in coordinated software supply chain compromises. The agency urged organizations to treat affected developer machines and pipelines as high-risk systems that may expose tokens, credentials, and internal code.

The warning follows two major events. One involved a malicious version of the Nx Console VS Code extension. Another, tracked as Megalodon, injected malicious GitHub Actions workflows into more than 5,500 public repositories to steal cloud and pipeline secrets.

Nx Console Compromise Shows the Risk of Trusted Extensions

The Nx Console incident centered on version 18.95.0 of the extension. According to the Nx postmortem, an attacker published the malicious version to Visual Studio Marketplace and Open VSX on May 18, 2026, after compromising a contributor’s developer machine through an earlier supply chain attack.

The malicious extension ran when a user opened a workspace in VS Code or a compatible editor. It then fetched and executed a payload hidden in an orphan commit inside the official Nx repository.

The exposure window was short, but the risk was serious. Nx says the malicious version was live for about 18 minutes on Visual Studio Marketplace and about 36 minutes on Open VSX. The project advised anyone who had Nx Console with auto-update enabled during the exposure window to treat the machine as potentially compromised.

Incident	What happened	Main risk
Nx Console 18.95.0	A malicious VS Code extension version was briefly published to marketplaces	Developer credential theft and backdoor installation
GitHub internal repository incident	An employee device was compromised through a poisoned VS Code extension	Unauthorized access to internal repositories
Megalodon	Malicious GitHub Actions workflows were injected into thousands of repositories	CI/CD secret and cloud credential theft

CVE-2026-48027 Was Added to the KEV Catalog

The malicious Nx Console release is tracked as CVE-2026-48027. The NVD entry describes it as an embedded malicious code vulnerability affecting Nx Console 18.95.0, with version 18.100.0 listed as a safe remediation path.

NVD also lists the vulnerability in CISA’s Known Exploited Vulnerabilities catalog. The required action directs affected organizations to apply vendor mitigations, follow applicable cloud guidance, or discontinue use if mitigations are not available.

The issue had a critical score because it could expose confidentiality, integrity, and availability. In practice, the risk came from what developer machines often hold: GitHub tokens, npm tokens, cloud credentials, SSH keys, environment files, and secrets available through local tools.

What the Nx Payload Tried to Steal

The payload targeted common credential locations and developer tools. Nx said it looked for GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault tokens, Kubernetes service account tokens, SSH private keys, Docker configuration files, GCP credentials, .env files, and active 1Password CLI session data.

The GitHub security advisory for Nx Console tells affected users to update to 18.100.0 or later, kill suspicious cat.py and daemonized processes, remove persistence artifacts, and rotate every credential reachable from the machine.

This is why the cleanup process must go beyond uninstalling the bad extension. If the payload ran, organizations need to assume secrets may have already left the device.

• Update Nx Console to version 18.100.0 or later.
• Check whether version 18.95.0 was installed during the exposure window.
• Search for cat.py, kitty staging folders, and suspicious LaunchAgent files.
• Rotate GitHub, npm, cloud, SSH, and CI/CD credentials from exposed machines.
• Audit source control, cloud, and package registry logs for suspicious access.

GitHub Also Confirmed an Internal Repository Incident

GitHub confirmed that it detected and contained a cyberattack involving a compromised employee device. In an investigation update, the company said it activated its response process to disrupt malicious activity, mitigate the attack, and deny the threat actor further access.

GitHub also said it was rotating keys out of caution, including the GitHub Enterprise Server signing key. The company told GitHub Enterprise Server customers to rotate GPG public keys in their instances, while noting that all binaries hosted by GitHub were valid and that no action was required for GitHub Enterprise Cloud.

The incident reinforced the same lesson as the Nx compromise. A developer workstation can become an entry point into internal systems if it runs a trusted extension that later turns malicious.

Megalodon Targeted GitHub Actions at Scale

The second campaign, Megalodon, did not depend on a VS Code extension. Instead, it abused GitHub repositories with weak branch protection by pushing malicious GitHub Actions workflows disguised as routine CI changes.

StepSecurity reported that Megalodon injected malicious workflows into 5,561 public repositories in a six-hour window on May 18, 2026. The workflows were designed to steal cloud credentials, SSH keys, API tokens, repository secrets, Kubernetes configuration, and GitHub Actions OIDC tokens.

This made the CI runner the attack target. A malicious workflow does not need to change application logic to cause harm. If it runs inside a trusted pipeline with secrets, it can exfiltrate those secrets before developers notice anything unusual.

Why CI/CD Secrets Are So Valuable

CI/CD systems often hold keys that give direct access to deployment environments, cloud accounts, container registries, signing systems, test infrastructure, and production services. That makes pipelines a high-value target for attackers.

Megalodon used workflow names and commit identities that looked like normal automation. Names such as build-bot, auto-ci, ci-bot, and pipeline-bot can blend into busy repositories where maintainers expect automated commits and workflow changes.

According to StepSecurity’s Megalodon analysis, the campaign targeted repositories with weak branch protection and pushed backdoored workflow files that could steal secrets from future pipeline runs.

Targeted secret type	Why attackers want it
GitHub tokens	Can allow repository access, workflow abuse, or further code changes
AWS, GCP, and Azure credentials	Can expose cloud infrastructure and production services
SSH keys	Can enable access to servers, repositories, and deployment systems
OIDC tokens	Can grant short-lived cloud access without static credentials
Kubernetes configs	Can expose clusters and workloads

Why This Is Bigger Than One Extension

The Nx and Megalodon incidents point to a broader change in attacker behavior. Threat actors are no longer only targeting production applications. They are targeting the people and systems that build those applications.

The Nx incident report shows how one compromised developer machine led to a malicious marketplace release. The Megalodon campaign shows how weak branch controls can turn public repositories into credential-exfiltration points. GitHub’s own response shows how a poisoned extension can reach even mature engineering environments.

That combination makes developer security a supply chain priority. A company may have strong production controls and still suffer a serious breach if code editors, package workflows, CI runners, and repository permissions remain loosely governed.

What Organizations Should Do Now

Organizations should start by auditing whether Nx Console 18.95.0 ran in their environment. The official advisory lists indicators of compromise and recommends immediate credential rotation for affected systems.

Security teams should also inspect GitHub Actions workflows for unexpected commits, suspicious workflow names, forged bot authors, unfamiliar C2 endpoints, and workflow changes made directly to default branches without review.

CISA’s alert recommends forensic review and broad credential rotation when organizations find compromised extensions or unauthorized workflow changes. That includes cloud provider tokens, API keys, SSH keys, Docker and Kubernetes tokens, developer secrets, and CI/CD credentials.

• Audit installed VS Code, Cursor, and Open VSX extensions.
• Block automatic extension updates in high-risk environments until updates age or pass review.
• Require signed commits and protected branches for workflow changes.
• Require pull request review for all .github/workflows changes.
• Limit default GitHub Actions token permissions.
• Use short-lived credentials and narrow cloud roles for CI jobs.
• Rotate secrets after any suspected developer workstation or CI compromise.
• Monitor workflow runs, package publishing events, and cloud audit logs together.

GitHub Customers Should Review the Signing Key Guidance

GitHub’s incident update includes a specific action for GitHub Enterprise Server administrators. The company is rotating the GitHub Enterprise Server signing key and asks administrators to rotate GPG public keys in their instances.

The GitHub investigation update says no action is required for GitHub Enterprise Cloud customers, but GitHub Enterprise Server customers should follow the published key-rotation steps.

That action is separate from the Nx Console remediation and Megalodon workflow cleanup. Organizations should handle all three workstreams if they apply: extension compromise review, CI/CD workflow audit, and GitHub Enterprise Server key rotation.

The Bottom Line

These incidents show why developer tooling now needs the same level of protection as production infrastructure. A trusted extension, a routine workflow file, or a normal-looking bot commit can expose source code and credentials if teams do not control how those tools update and execute.

The CVE-2026-48027 record makes the Nx Console compromise part of the known exploited vulnerability landscape, while the Megalodon campaign shows attackers can scale CI/CD abuse across thousands of repositories in hours.

The defensive response should be direct: verify developer endpoints, rotate exposed secrets, restrict extension and workflow changes, enforce branch protections, and treat CI/CD as a core security boundary rather than a background automation layer.

FAQ