this post was submitted on 23 May 2026
9 points (90.9% liked)

Security

6961 readers
1 users here now

Confidentiality Integrity Availability

founded 6 years ago
MODERATORS
gary_host_laptop@lemmy.ml
9
Megalodon chums the waters in 5.5K+ GitHub repo poisonings (www.theregister.com)
submitted 1 month ago by yogthos@lemmy.ml to c/security@lemmy.ml
2 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] yogthos@lemmy.ml 5 points 1 month ago

The exploit affects repository owners if they merge the malicious commit, their CI/CD pipeline gets infected, and their cloud credentials, SSH keys,GitHub tokens, and etc., are stolen. Anyone working on compromised repositories or using CI/CD variables could have their credentials exfiltrated. If you are not a repository owner or contributor to affected repos then your direct risk is likely low. The article lists 5,561 infected repositories, so if you don't contribute to or use any of those repos (the full list was published by SafeDep), you're fine.