github security
7 posts
GitHub's scanners cleared 10,000 trojan repos
10,000 GitHub repositories distributed trojan malware because platform presence was treated as validation. The control was assumed, not enforced.
Contractor PAT leaked 270GB of Times source
The 2024 NYT source code leak was not a credential breach. It was a credential sprawl chain. The mechanism, telemetry gaps, and what still applies.
Your GitHub commits were never trustworthy
Megalodon compromised 55,000 GitHub repositories. A technical breakdown of the trust boundary that failed and what repository owners must now verify.
Megalodon hijacked 55,000 GitHub repos via token replay
Megalodon compromised 55,000+ GitHub repositories through PAT harvesting, pull_request_target abuse, and OAuth scope inheritance. Technical breakdown.
Malicious commits breached 5,561 repositories
5,561 GitHub repos received malicious CI/CD commits disguised as bot maintenance. The failure was identity enforcement, not exploit complexity.
CISA pushed passwords to a public repo
A top cyberdefense agency published credentials in a public GitHub repository. A control analysis of what failed and what must now be true.
The agency was the breach.
A US cybersecurity agency published digital keys to a public GitHub repository. The exposure defines the failure class. Recovery requires rotation.