github security

5 posts

Your GitHub commits were never trustworthy

Megalodon compromised 55,000 GitHub repositories. A technical breakdown of the trust boundary that failed and what repository owners must now verify.

May 24, 2026

Article

Megalodon hijacked 55,000 GitHub repos via token replay

Megalodon compromised 55,000+ GitHub repositories through PAT harvesting, pull_request_target abuse, and OAuth scope inheritance. Technical breakdown.

May 23, 2026

Article

Malicious commits breached 5,561 repositories

5,561 GitHub repos received malicious CI/CD commits disguised as bot maintenance. The failure was identity enforcement, not exploit complexity.

May 22, 2026

Article

CISA pushed passwords to a public repo

A top cyberdefense agency published credentials in a public GitHub repository. A control analysis of what failed and what must now be true.

May 20, 2026

Article

The agency was the breach.

A US cybersecurity agency published digital keys to a public GitHub repository. The exposure defines the failure class. Recovery requires rotation.

May 19, 2026