Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
CISA Advisory: Nx Console & GitHub Supply Chain Compromises
Occurred 18 May 2026·Detected 28 May 2026·
🇺🇸 Global software supply chain incident; primary known victim (GitHub) headquartered in San Francisco, CA, USA; broad global enterprise exposure1 reportEnded 29 May 2026
CyberCyberCasualty & Liability
CISA has issued an advisory on two active software supply chain intrusion campaigns: a compromise of GitHub via a malicious Nx Console VS Code extension (CVE-2026-48027), and the 'Megalodon' campaign injecting malicious GitHub Action workflows to harvest CI/CD secrets and cloud credentials. The incidents affect enterprise, cloud, and DevOps environments globally, with potential for broad credential theft across AWS, GCP, Azure, and other platforms. While technically significant, no named insured entities, quantified losses, or confirmed claims have been identified, limiting immediate London Market materiality.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. Loss pathway: Widespread credential harvesting across enterprise CI/CD pipelines creates plausible downstream cyber insurance loss pathway via ransomware deployment, data exfiltration, or business interruption using harvested cloud credentials. Evidence: CISA KEV listing, confirmed exfiltration of GitHub internal repositories, and broad scope of affected credential types (AWS, GCP, Azure, SSH, Docker tokens) indicate material exposure across cyber insurance books. Limit: No named insured commercial entities confirmed as victims, no quantified loss estimates, and no confirmed downstream attacks reported — impact remains potential rather than realized, warranting monitoring rather than immediate claims action.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known6 lines
CISA has issued an official advisory on multiple supply chain intrusion campaigns▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Nx Console VS Code extension version 18.95.0 was compromised and distributed via automatic update▾
structured lineknown
No separate sourced-claim record is available for this line yet.
CVE-2026-48027 assigned and added to CISA's Known Exploited Vulnerabilities (KEV) Catalog▾
structured lineknown
No separate sourced-claim record is available for this line yet.
A GitHub employee's device was compromised, resulting in unauthorized access and exfiltration of internal GitHub repositories▾
structured lineknown
No separate sourced-claim record is available for this line yet.
'Megalodon' campaign injected malicious GitHub Action workflows to harvest CI/CD secrets and cloud credentials▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Affected credentials include AWS, GCP, Azure API keys, SSH keys, Docker/npm/PyPI tokens, and GitHub/GitLab/Bitbucket tokens▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported3 lines
Systems with Nx Console previously installed may have received the malicious build without manual action▾
structured linereported
No separate sourced-claim record is available for this line yet.
Both development and deployment pipelines in public GitHub repositories were impacted by Megalodon▾
structured linereported
No separate sourced-claim record is available for this line yet.
Suspicious automated accounts (e.g., build-bot, auto-ci) used as vectors after May 18, 2026▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain5 lines
Total number of affected organizations is unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
No named commercial or insured entities confirmed as victims▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Extent of data exfiltration from GitHub internal repositories is unclear▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any downstream attacks or financial losses have resulted from harvested credentials is unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Attribution of threat actors not specified in advisory▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
3 active matches
- TRIA Certified AreasRule-basedConfidence 100%
- Caribbean Hurricane ZoneRule-basedConfidence 100%
- Pacific Ring of FireRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇬🇧 United Kingdom🇺🇸 United States
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Initial Detection28 May 2026, 20:54
Initial Detection
CISA has issued an advisory on two active software supply chain intrusion campaigns: a compromise of GitHub via a malicious Nx Console VS Code extension (CVE-2026-48027), and the 'Megalodon' campaign injecting malicious GitHub Action workflows to harvest CI/CD secrets and cloud credentials. The incidents affect enterprise, cloud, and DevOps environments globally, with potential for broad credential theft across AWS, GCP, Azure, and other platforms. While technically significant, no named insured entities, quantified losses, or confirmed claims have been identified, limiting immediate London Market materiality.
Threat actors leveraged a prior compromise of Nx developer systems to compromise a GitHub employee's device through a poisoned third-party VS Code extension, resulting in unauthorized access and exfiltration of internal GitHub repositories. The malicious extension version (18.95.0) was distributed through VS Code's automatic update mechanism, meaning systems with Nx Console previously installed may have received the malicious build without developers taking any manual installation action.
Source: CISA Advisories (Official Advisory) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts