CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A wave of sophisticated supply chain attacks has put millions of software developers on high alert, with threat actors turning everyday developer tools into weapons for stealing credentials, cloud tokens, and source code. What makes these campaigns especially alarming is how they exploit the very systems developers trust most: their editors, automated pipelines, and version […] The post Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets appeared first on Cyber Securi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets By Tushar Subhra Dutta May 29, 2026 A wave of sophisticated supply chain attacks has put millions of software developers on high alert, with threat actors turning everyday developer tools into weapons for stealing credentials, cloud tokens, and source code. What makes these campaigns especially alarming is how they exploit the very systems developers trust most: their editors, automated pipelines, and version control workflows. In some cases, the malware reached developer machines without any action on their part at all. The attack unfolded across two interconnected campaigns. In the first, a poisoned version of the widely used Nx Console VS Code extension, version 18.95.0, was pushed to the Visual Studio Code Marketplace on May 18, 2026. The extension had over 2.2 million installations, meaning the blast radius was immediately enormous. A GitHub employee’s device was among those compromised, which led to the unauthorized access and exfiltration of roughly 3,800 internal GitHub source code repositories. Analysts at CISA identified the full scope of the threat and published an urgent alert on May 28, 2026, noting that threat actors were targeting CI/CD pipelines, code extensions, and cloud environments in coordinated fashion. CVE-2026-48027 was assigned to the malicious extension and added to CISA’s Known Exploited Vulnerabilities catalog. CISA said in a report shared with Cyber Security News (CSN). that organizations should treat any machine that ran the compromised extension as fully compromised. The second campaign, known as “Megalodon,” ran in parallel. On May 18, an automated attacker pushed 5,718 malicious commits to 5,561 public GitHub repositories within a six-hour window. The injected GitHub Actions workflows harvested CI/CD secrets, cloud credentials, SSH keys, and OIDC tokens, sending everything to a command-and-control server. Both campaigns show how modern software delivery pipelines have become high-value targets for credential-hungry threat actors. Attackers Abuse Trusted Developer Tooling The attacker first stole a contributor’s GitHub personal access token through a prior supply chain incident. Using that token, they planted a hidden orphan commit inside the official nrwl/nx GitHub repository, containing a 498 KB obfuscated JavaScript payload. They then published the malicious extension to the VS Code Marketplace using stolen publishing credentials, embedding 2,777 bytes of injected code into the extension’s main file. When any developer opened a workspace with the compromised extension installed, it silently fetched and executed the hidden payload in the background. The payload ran six credential harvesting modules targeting GitHub tokens, AWS credentials, HashiCorp Vault secrets, Kubernetes configs, npm tokens, and 1Password vaults. It also installed a Python backdoor on macOS that used the GitHub Search API as a dead-drop to receive signed remote commands, making it difficult to detect with standard firewall monitoring. Megalodon’s Mass Repository Backdooring The Megalodon campaign took a different but equally damaging approach. Using throwaway GitHub accounts with forged author identities like build-bot and auto-ci, the attacker pushed malicious workflow files disguised as routine CI maintenance commits. The workflow names SysDiag and Optimize-Build were designed to look like standard automation tasks, tricking developers who casually reviewed their repository history. The campaign deployed two payload variants. The mass variant added a new workflow triggered on every push and pull request, while the targeted variant replaced existing workflows with backdoors the attacker could fire on demand via the GitHub API. One npm package, @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12, carried the targeted variant and was published by the legitimate maintainer from the already-compromised repository without their knowledge. CISA urges all affected organizations to audit workflow files for suspicious commits made after May 18, 2026, focusing on changes authored by automated accounts. Any organization that ran the compromised Nx Console extension or found unauthorized workflow changes should conduct a full forensics review of CI/CD logs and cloud audit trails. All credentials accessible to pipelines must be rotated, including API keys, cloud provider tokens for AWS, GCP, and Azure, SSH keys, Docker and Kubernetes tokens, and developer secrets. CISA also recommends waiting at least three hours before pulling new packages, pinning dependencies to trusted versions, and only sourcing packages from verified repositories. Indicators of Compromise (IoCs):- Type Indicator Description CVE CVE-2026-48027 Assigned to malicious Nx Console v18.95.0  Extension Version nrwl.angular-console v18.95.0 Compromised VS Code extension version  File Hash (SHA-256) 1a4afce34918bdc74ae3f31edaffffaa0ee074d83618f53edfd88137927340b8 Malicious VSIX package (v18.95.0)  File Hash (SHA-256) b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 Malicious main.js inside VSIX  File Hash (SHA-256) e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1 Obfuscated payload (index.js from orphan commit)  File Hash (SHA-256) 43f2b001846c4966073ebffa5be8f15e491a1e7d32bbd805d57406ff540e0dd9 Dropper package.json  File Hash (SHA-256) 228a2cf081d4cbea9b91cde14a8f9c4a4d003e7f32431496953fd6bac266f5a3 Clean VSIX v18.94.0 (reference)  File Hash (SHA-256) cb86f4f223daa54467c7782a0d8607e9c84e2bb633e6f0e51d9a19579e200990 Remediated VSIX v18.100.0  Git SHA 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 Malicious orphan commit in nrwl/nx repo  Git SHA ba642fe2c7c65e42dd7f6444b83023dc6827e08c Orphan commit tree object  Git SHA acfc3f957a63b4cde93ff645f2b6bf26a8ed1bbf index.js blob in orphan commit  Git SHA 9d88f040c44b5f4d5f9db15ff89310776c168e99 package.json blob in orphan commit  Git Commit acac5a9 Megalodon malicious commit in tiledesk-server repo  C2 IP 216[.]126[.]225[.]129:8443 Megalodon C2 server for credential exfiltration  Author Email [email protected] Forged author identity used in Megalodon commits  Author Email [email protected] Forged author identity used in Megalodon commits  Author Names build-bot, auto-ci, ci-bot, pipeline-bot Fake automated author names used in malicious commits  npm Package @tiledesk/tiledesk-server v2.18.6 to v2.18.12 Compromised npm package containing Megalodon targeted variant  Workflow Name SysDiag Malicious GitHub Actions workflow (mass variant)  Workflow Name Optimize-Build Malicious GitHub Actions workflow (targeted/backdoor variant)  Network api.github.com/search/commits?q=firedalazer Python C2 dead-drop polling endpoint  Network 169.254.169.254 AWS IMDS credential theft endpoint  Network 169.254.170.2 ECS container credential endpoint  Network 127.0.0.1:8200 HashiCorp Vault local endpoint targeted  Network fulcio.sigstore.dev / rekor.sigstore.dev Targeted for Sigstore attestation forgery  File Path (macOS/Linux) ~/.local/share/kitty/cat.py Python C2 backdoor file  File Path (macOS) ~/Library/LaunchAgents/com.user.kitty-monitor.plist macOS LaunchAgent for persistence  File Path /tmp/kitty-* Temporary persistence staging directory  File Path /var/tmp/.gh_update_state C2 anti-replay state file  File Path (Windows) %USERPROFILE%\.local\share\kitty\cat.py Python C2 backdoor (Windows path)  File Path (Windows) %USERPROFILE%\.bun\bin\bun.exe Bun runtime installed for persistence  VS Code globalState Key nxConsole.mcpExtensionInstalledSha set to 558b09d7... Indicator of payload execution  Environment Variable __DAEMONIZED=1 Set on running daemon processes post-compromise  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads BIND 9 Software Vulnerabilities Exposes Resolvers and Authoritative Servers to Remote Exploits Hackers Abuse Shared CDN Infrastructure to Bypass Domain Reputation Security Controls Latest News Cyber Attack News Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords Cyber Security News Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems Cyber Security New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads Cyber Security News Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware Cyber Security News Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗