Lead Story | Critical — Active Exploitation | Dev · Cloud+DevOps · Enterprise |
|
Megalodon Poisoned 5,561 GitHub Repositories in Six Hours — Forged CI/CD Workflows Exfiltrated Cloud Credentials, SSH Keys, and OIDC Tokens From Developer Pipelines
An automated campaign pushed backdoored GitHub Actions workflows to 5,561 unprotected repositories on May 18, 2026, harvesting AWS credentials, SSH keys, and OIDC tokens from every CI run — any team that ran a pipeline from an affected repository should treat all CI-scoped credentials as compromised.
The attack required no software vulnerability. Attackers holding stolen GitHub credentials wrote new workflow files directly onto repository default branches that lacked mandatory review gates, bypassing any code inspection. When the next CI pipeline ran, those workflows executed inside the trusted runner, quietly harvesting AWS and GCP credentials, SSH keys, Kubernetes configs, OIDC tokens, and npm secrets before sending them to a C2 server. StepSecurity → The Register →
StepSecurity disclosed 5,561 repositories compromised in a six-hour window on May 18, 2026; the campaign remains unattributed, with researchers finding no evidence linking Megalodon to any known threat actor. Any team with affected repositories should treat all CI-scoped credentials as compromised and rotate immediately. GitHub Actions is standard CI infrastructure across Canadian fintech, government contractors, and SaaS providers; a stolen OIDC token or AWS key from a CI run grants production cloud access without any direct server compromise. The Hacker News →
→ Key Takeaway Megalodon poisoned 5,561 GitHub repositories with forged CI/CD workflow files in six hours — no CVE, no vendor patch, just weak or absent branch protection. Any organisation using GitHub Actions should treat this as an immediate audit event: if a repository ran a pipeline after May 18, 2026 without mandatory PR review, its CI-scoped credentials should be considered compromised. Action: Search all repositories for SysDiag.yml and Optimize-Build.yml workflow files; audit commits from [email protected] or [email protected]; enforce branch protection with mandatory pull request review on all pipeline-triggering branches; and rotate AWS, GCP, Azure, SSH, OIDC, and npm credentials from any affected CI run. HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only. |
Quick Hits
| 01 |
700+ Sites Compromised via CVE-2026-26980 — Ghost CMS SQL Injection Is Delivering ClickFix Malware to Visitors Across Universities, Media, and Government Publishing Platforms
A SQL injection flaw in Ghost CMS (CVE-2026-26980, CVSS 7.5 NVD / 9.4 CNA) has been exploited since May 7, 2026, compromising over 700 domains — including Harvard University, Oxford University, and DuckDuckGo — by extracting the Admin API key without authentication, then using it to inject ClickFix malware payloads into every published article, turning any compromised site into a malware delivery platform for its own readership. Ghost 6.19.1 (released February 2026) patches the vulnerability; organizations running self-hosted Ghost should update immediately and audit published article content for injected script tags. Canadian universities, government communication platforms, and media organizations running self-hosted Ghost deployments should treat this as immediate. The Hacker News → NIST NVD →
| High — Content Injection · Mass Exploitation | Dev · Enterprise · IT Ops |
|
| 02 |
Laravel-Lang PHP Packages Backdoored for 15 Hours — Any Composer Update Between May 22–23 Should Be Treated as a Credential Compromise
Attackers compromised the laravel-lang GitHub organization on May 22, 2026, rewrote hundreds of historical Composer package tags across four packages, and injected a credential-stealing payload that exfiltrated AWS keys, GitHub tokens, Kubernetes secrets, SSH keys, Stripe tokens, and Vault credentials from any PHP project that ran composer install or composer update during the attack window. Packagist delisted the malicious versions by May 23, but any environment that executed a Composer update between 22:32 UTC May 22 and removal should be treated as having credentials exposed and require immediate rotation. Laravel is widely used across Canadian fintech, healthcare portals, SaaS platforms, and government contractor back-end applications. StepSecurity → The Hacker News →
| Critical — Developer Supply Chain · Credential Exfiltration | Dev · Cloud+DevOps |
|
CVE Watch
|
CVE Watch
CVE-2026-34908 / 34909 / 34910 (Ubiquiti UniFi OS): Three Unauthenticated Critical Flaws Across 100,000 Internet-Exposed Devices — No Exploitation Confirmed Yet, Patch Now
Ubiquiti patched three Critical-rated vulnerabilities in UniFi OS on May 22, 2026 — all unauthenticated and low-complexity: CVE-2026-34908 (improper access control enabling arbitrary OS-level changes), CVE-2026-34909 (path traversal yielding full account compromise), and CVE-2026-34910 (command injection allowing arbitrary OS command execution); any one of the three gives a network-adjacent or remote attacker full control of the infrastructure device without credentials. Censys tracks approximately 100,000 UniFi OS endpoints directly exposed to the internet. No confirmed in-the-wild exploitation has been disclosed as of May 25, 2026, but three unauthenticated Critical flaws against 100,000 internet-exposed endpoints combine to make exploitation a matter of when, not if — Ubiquiti gear is common in Canadian SMBs, school boards, municipal offices, and retail networks where patching cadence is slower. Patch to UniFi OS firmware 5.1.12 or UniFi OS Server 5.0.8 immediately. BleepingComputer → NIST NVD →
| Vendor: Ubiquiti (UniFi OS) · CVEs: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 · Severity: Critical (Ubiquiti Security Advisory Bulletin 064; NIST enrichment not scheduled) · Affected: UniFi OS <5.1.12; UniFi OS Server <5.0.8 (UDM series, UCG-Industrial, UNVR, UNAS); UniFi Express <4.0.14 (CVE-2026-34909 only) · Fix: UniFi OS 5.1.12 / UniFi OS Server 5.0.8 (May 22, 2026) · Exploitation: No confirmed in-wild exploitation as of May 25, 2026; credible imminent risk: three unauthenticated Critical flaws, ~100K internet-exposed endpoints |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA-03 — Protect: Identity Management & Access Control
Megalodon Shows That CI/CD Service Identity Is a PR.AA-03 Gap, Not Just a Developer Hygiene Problem
NIST CSF 2.0 PR.AA-03 requires that “users, services, and hardware are authenticated” — most organisations apply this at the human login layer while leaving CI/CD service identities ungoverned: the Megalodon attack succeeded because GitHub Actions executed forged workflow files committed directly to unprotected branches, with no requirement that the triggering commit be reviewed by an authenticated person. An unprotected branch on any pipeline-enabled repository is an unauthenticated service entry point reachable with any stolen GitHub credential. Action: Require pull request review approval for all branches that trigger production pipelines, and search repositories for SysDiag.yml or Optimize-Build.yml workflow files added since May 18, 2026. NIST CSF 2.0 reference: csf.tools/pr-aa-03 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (29 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
