Get all your news in one place.
100's of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

CISA warns that Nx Console and GitHub repositories abused in multiple supply chain compromises – tools across enterprise, cloud, and DevOps environments exploited

CISA GitHub Supply chain
A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it.
  • CISA issued an alert on ongoing supply chain attacks abusing GitHub repos via a malicious Nx Console VSCode extension and the Megalodon campaign
  • Threat actors stole CI/CD secrets, cloud credentials, and tokens by poisoning workflows, prompting CISA to urge audits of contributor activity and workflow files
  • Recommended mitigations include forensic reviews, rotating/revoking all pipeline secrets, pinning trusted package versions, and delaying pulls to allow community detection

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning about multiple ongoing supply chain attacks and is urging developers and open-source platform users to apply mitigations and secure their environments.

In a news alert published earlier this week, the agency warned about attacks on GitHub repos via a malicious Nx Console Visual Studio Code (VSCode) extension, as well as the Megalodon supply chain campaign. It said these attacks show “how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments - specifically CI/CD pipelines, code extensions, and workflows.”

By abusing an earlier compromise of Nx developer systems, threat actors were able to compromise a GitHub employee’s device through a poisoned third-party VSCode extension, accessing their repositories and stealing sensitive information found within.

CISA's advice

In Megalodon, hackers injected malicious GitHub Action workflows to steal CI/CD secrets, cloud credentials, and tokens, CISA said.

With that in mind, it urged organizations to monitor and audit workflow files and contributor activity and revert any unauthorized changes.

Organizations that discover a breach from a previously compromised GitHub or Nx Console software should conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines, and rotate/revoke all secrets (that includes all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets).

For using package repositories, CISA recommends waiting at least three hours before pulling a new package, to give the community enough time to spot any suspicious or malicious commits. It also recommends pinning software to specific trusted versions and only pulling packages from known and trusted sources.

Sign up to read this article
Read news from 100's of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Taylor Swift’s wedding guest list may leave out these ‘former besties’, here’s who in the inner circle is expected to attend
The pop superstar has long been known for cultivating close-knit and enduring friendships, frequently showing appreciation for the people in her inner circle through both public gestures and private support. However, as is often the case with relationships that span many years, some of those once-strong bonds appear to have…
The Economic Times
The Economic Times
Fans Have A Lot To Say After Howie Mandel Took Extreme Measures When Meeting Adult Star Sophie Rain
“Bro treated a handshake like a hazardous materials transfer.”
Bored Panda
Bored Panda
Harvard's Avi Loeb Debunks Viral UFO Footage and CIA Genetic Tracking Rumours
Harvard astrophysicist Avi Loeb debunks viral claims linking a meteor sighting in the Philippines to UFOs and addresses CIA genetic tracking rumours, emphasising the need for solid evidence.
International Business Times UK
International Business Times UK
Thinking man's art: Rocker Jack White goes public with private artworks in first major UK show
Rock musician Jack White is exhibiting his art works made over 30 years in his first major show. The show titled 'These Thoughts May Disappear' includes sculptures, installations and furniture design products inspired by Detroit Cass Corridor artists and his own background in upholstery.
Euronews
Euronews
Fact Check: Did Nicki Minaj Expose Jay-Z's 'Blood Illuminati Contract' in Viral Live Video?
A viral claim suggesting Nicki Minaj accused Jay-Z of proposing an Illuminati contract is debunked, as no evidence supports this rumour. The claim is based on misinterpreted footage.
International Business Times UK
International Business Times UK
Are Jennifer Lopez, Alex Rodriguez Getting Back Together? JLo Embraces Single Era
Jennifer Lopez discusses her 'single era' on Jimmy Kimmel Live!, reflecting on her past relationships and embracing solitude after her divorce from Ben Affleck.
International Business Times UK
International Business Times UK
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.
Download on the AppStore Get it on Google Play