Nx Console supply-chain compromise highlights GitHub and CI/CD exposure
CISA, GitHub, and Nx describe a May 2026 supply-chain compromise that reached developer tooling, repository access, and secret rotation.
Published
Jun 27, 2026Duration
5 min readRisk Level
High SeverityIntel Tags
Why it matters
This incident shows how a compromised developer extension and related repository exposure can create enterprise-wide risk. A single trusted tool in the build or editor path can become a route to secret theft, repository tampering, and broader CI/CD trust erosion. Defenders should treat developer tooling as part of the attack surface, not just the endpoint.
What happened
CISA said the Nx Console supply-chain compromise impacted GitHub repositories and merited public alerting. GitHub said it detected unauthorized access tied to a compromised employee device and responded by rotating critical secrets. Nx said malicious Nx Console v18.95.0 was the exposed version and that anyone who installed it during the window should assume compromise and rotate credentials.
Technical details
The compromise centered on malicious Nx Console v18.95.0, which CISA linked to CVE-2026-48027. Reporting from GitHub and Nx describes a chain involving a compromised developer device, poisoned extension distribution, and access to internal repositories. The key technical lesson is that software delivery and developer productivity tools can become high-value entry points when they sit near credentials, tokens, or repository trust boundaries.
Defender actions
Audit developer extension inventory, rotate exposed credentials, and review GitHub and CI/CD activity for suspicious workflow changes, token use, or repository access. For GitHub Enterprise Server customers, follow GitHub’s key-rotation guidance immediately. Longer term, pin trusted versions, require approval gates for release workflows, and monitor audit logs for suspicious automation or unexpected repository changes.