The article details multiple supply chain attacks targeting GitHub's ecosystem, including the "Megalodon" campaign that backdoored CI/CD workflows via malicious pull requests and a separate breach of 3,800 repositories via a malicious VSCode extension. Specific CVSS scores, affected version ranges, fixed versions, and workarounds for these incidents are not provided in the source material. IT professionals should audit their GitHub Actions workflows, scrutinize third-party extensions, and enforce strict access controls on repositories and CI/CD pipelines.
⬇️ OPEN FOR LINKS TO ARTICLES TO LEARN MORE ⬇️ @endingwithali → Twitch: https://twitch.tv/endingwithali Twitter: https://twitter.com/endingwithali YouTube: https://youtube.com/@endingwithali Everywhere else: https://links.ali.dev Want to work with Ali? hak5@endingwithali.com [❗] Join the Patreon→ https://patreon.com/threatwire 00:00 0 - Intro 00:00 1 - Can We Trust Github Automation? 03:48 2 -When Your AI Tools Turn Against You 06:20 3 - BSides 7:320 4 - Outro LINKS 🔗 Story 1: Megaldon https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ https://www.ox.security/blog/megalodon-cicd-malware-github/ https://www.hudsonrock.com/blog/infostealers-just-spawned-a-5000-repo-github-supply-chain-attack 🔗 Story 2: VSCode Extension Attack https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/ https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/ https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w 🔗 Story 3: BSides https://lachlan.nz/blog/the-react2shell-story/ https://www.helpnetsecurity.com/2026/05/19/discord-voice-and-video-call-encryption/ https://discord.com/blog/every-voice-and-video-call-on-discord-is-now-end-to-end-encrypted https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github https://www.securityweek.com/1password-teams-with-openai-to-stop-ai-coding-agents-from-leaking-credentials/ https://1password.com/blog/1password-trusted-access-layer-for-openai-codex -----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆ Our Site → https://www.hak5.org Shop → http://hakshop.myshopify.com/ Community → https://www.hak5.org/community Subscribe → https://www.youtube.com/user/Hak5Darren?sub_confirmation=1 Support → https://www.patreon.com/threatwire Contact Us → http://www.twitter.com/hak5 ____________________________________________ Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community – where all hackers belong.