CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0

CISA published an alert on May 28, 2026 tying the exfiltration of roughly 3,800 internal GitHub repositories to a malicious build of the Nx Console VS Code extension that shipped briefly through the official marketplaces. The alert — Supply Chain Compromises Impact Nx Console and GitHub Repositories — references CVE-2026-48027, added to the Known Exploited Vulnerabilities catalog on May 27, 2026 with a federal remediation deadline of June 10, 2026.

The Nrwl maintainers' advisory GHSA-c9j4-9m59-847w and their Nx Console v18.95.0 postmortem describe the chain end-to-end. None of the parties have attributed the operation to a state actor; vendor reporting tags the activity as TeamPCP's "Mini Shai-Hulud" worm.

What happened

A malicious build of Nx Console version 18.95.0 was published on May 18, 2026 to both the Visual Studio Marketplace and Open VSX after attackers used a contributor's GitHub CLI OAuth token harvested seven days earlier through the TanStack npm compromise. According to the Nrwl postmortem, the poisoned version was available on the VS Code Marketplace from 12:30 UTC to 12:48 UTC (18 minutes) and on Open VSX from 12:33 UTC to 13:09 UTC (36 minutes).

The extension behaved like a normal install. On startup it ran a single shell command that pulled an obfuscated payload planted as a commit on the official nrwl/nx repository, disguised as a routine MCP setup task.

What it stole

The payload harvested any developer credential it could reach on disk or in memory:

• GitHub tokens
• npm auth tokens
• AWS credentials and IAM session data
• HashiCorp Vault tokens
• Kubernetes credentials
• 1Password CLI session data
• SSH private keys
• Google Cloud and Docker credentials

Credentials harvested from one GitHub employee's compromised workstation gave the attackers access used to clone approximately 3,800 of GitHub's internal repositories, according to the CISA alert. Help Net Security and The Hacker News separately confirm impact at OpenAI, Grafana Labs, and Mistral AI.

Scope

Marketplace download counters undercount the blast radius. Visual Studio Marketplace logged 28 installs of v18.95.0, Open VSX 41 downloads from 21 unique IPs. Nrwl's own analytics, cited in the postmortem, recorded around 6,000 extension activations in the two days after publication — VS Code's auto-update mechanism pushed the malicious build to systems that had Nx Console previously installed, with no user action required.

The clean release is Nx Console 18.100.0 or later.

Action checklist

1. Update Nx Console to 18.100.0 or higher across every developer workstation, CI image, and devcontainer that ships VS Code. The auto-update path is what made this attack so wide; do not rely on it to clean up.
2. Hunt for activations of 18.95.0: check ~/.vscode/extensions/ (or the OSS equivalent) for nrwl.angular-console-18.95.0 or nrwl.nx-console-18.95.0. The Nrwl advisory ships the verbatim path list.
3. Rotate every credential reachable from any developer machine that had Nx Console installed between May 18 and May 22. That means GitHub PATs, npm tokens, cloud-provider keys, SSH keys, 1Password session, Vault, k8s — the full list above. Assume compromise; rotate, don't audit.
4. Audit GitHub workflow files and contributor activity for unauthorized changes after May 18, 2026. CISA's alert flags automated-account names — build-bot, auto-ci, ci-bot, pipeline-bot — as worth focused review. Revert anything that's not yours.
5. Pin VS Code extensions by hash going forward where your endpoint management supports it, and disable auto-update for marketplace extensions on shared build images. The next extension worm will use the same delivery channel.

Detection

For verbatim IOCs and Windows artifacts, follow the references in GHSA-c9j4-9m59-847w: the Nrwl advisory links the StepSecurity analysis and shipped a Windows IOC supplement on May 22, 2026. Do not paraphrase those indicators — pull the hashes and paths from the upstream sources before writing detection rules.

Context

This is the second time in eight days that we've covered a supply-chain compromise that uses an autoload-style execution sink to ride a trusted distribution channel. The Laravel-Lang Composer hijack on May 22-23 abused autoload.files; this one abuses VS Code's automatic extension updates. The pattern across both: legitimate distribution, valid signatures or attestations, a window of minutes to hours, and a credential harvest payload that turns one developer's machine into pivot access for an entire organisation.

CISA's choice to publish a standalone alert — separate from the KEV addition the day before — signals that federal incident response now treats poisoned IDE extensions as a first-class supply-chain vector. Treat your VS Code marketplace footprint the same way you treat your npm or PyPI footprint: inventory it, pin it, and rotate after every incident in your supply chain, not just yours.