// Alert

GitHub threat report

CISA warned of two recent supply-chain compromises targeting GitHub. The Megalodon attack on May 18 involved malicious GitHub Action workflows injected into over 5,500 open-source repositories with weak branch protection, stealing cloud credentials, API tokens, SSH keys, and other secrets. A second attack involved compromise of a GitHub employee's device through a poisoned Nx Console Visual Studio Code extension (CVE-2026-48027) published May 19.

// Get alerts for GitHub