CISA warns that Nx Console and GitHub repositories are abused in multiple supply chain compromises: tools are exploited in enterprise, cloud and DevOps environments

CISA issued an alert regarding ongoing supply chain attacks abusing GitHub repositories via a malicious Nx Console VSCode extension and the Megalodon campaign
Threat actors stole CI/CD secrets, cloud credentials, and tokens by poisoning workflows, leading CISA to urge audits of contributor activity and workflow files.
Recommended mitigations include forensic reviews, rotating/revoking all pipeline secrets, pinning trusted package versions, and delaying pulls to allow for community discovery.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns of multiple ongoing supply chain attacks and urges developers and users of open source platforms to apply mitigations and protect their environments.

In a news alert published earlier this week, the agency warned of attacks on GitHub repositories via a malicious Nx Console Visual Studio Code (VSCode) extension, as well as the Megalodon supply chain campaign. He said these attacks show “how cyber threat actors are abusing the tools and processes that support enterprise, cloud and DevOps environments, specifically CI/CD pipelines, code extensions and workflows.”

By abusing a previous compromise of Nx development systems, threat actors were able to compromise a GitHub employee’s device via a poisoned third-party VSCode extension, accessing their repositories and stealing sensitive information contained within.

The CISA Council

In Megalodon, hackers injected malicious GitHub Action workflows to steal CI/CD secrets, cloud credentials, and tokens, CISA said.

With that in mind, it urged organizations to monitor and audit workflow files and contributor activity and revert any unauthorized changes.

Organizations that discover a breach of previously compromised GitHub or Nx Console software should perform a forensic review of CI/CD logs, cloud audit logs, and affected developer machines, and rotate/revoke all secrets (including all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets).

To use package repositories, CISA recommends waiting at least three hours before pulling a new package, to give the community enough time to detect any suspicious or malicious commits. It also recommends pinning software to specific trusted versions and only extracting packages from known, trusted sources.