5,7 tys. commitów w 6 godzin. Repozytoria GitHub zainfekowane w kampanii “megalodon”

Badacze z SafeDep wykryli zautomatyzowaną kampanię – nazwaną megalodon – w ramach której wypchnięto ponad 5,7 tysięcy złośliwych commitów w ponad 5,5 tysiącach repozytoriów na GitHub. Całość zajęła ~6 godzin. Korzystając z jednorazowych kont atakujący wstrzyknęli złośliwe workflow GitHub Actions zawierające zakodowane w base64 payloady (bash), które wykradają sekrety CI,...

#Aktualności #Bezpieczeństwo #Github #Kampania #Megalodon

https://sekurak.pl/57-tys-commitow-w-6-godzin-repozytoria-github-zainfekowane-w-kampanii-megalodon/

This is not about the nature of "AI", it is about the corporations who are building it. These corporations are well within the definition of pleonexia: those who take more than their fair share.

They are taking far more than their fair share of money, of the earth's resources, and now they are taking more than their fair share of our data, of the stories of our lives.

They are hooking the mobile phone users into a common nervous system, with them the center.

This development is very obvious to those who have access to the concepts of system network design.

The "loci of agency and intent" model of the central actor in social and political contexts, is a mathematical form, and so it is scale invariant. If you find anything like such a locus, feel free to go ahead and give it a name, as its form will be relatively stable over time.

Here such loci live in the waters of the global financial systems, megalodons who swim in the same substance as the minnows.

The minnows never notice. And if they notice the shadow, they have little real concept of what it is thinking.

#ai #fascists #megalodon

🕵🏻‍♂️ [InfoSec MASHUP] 22/2026 - The Patch Is Scaling. So Is the Attack.

#Megalodon backdoored 5,500 #GitHub repositories in six hours. Not six days — six hours. Malicious commits silently replacing CI/CD workflows, hoovering tokens, cloud credentials, SSH keys, and environment variables before most of the affected projects had processed a single alert. The same week, #IBM and #RedHat announced a $5 billion commitment, called Project Lightwell, to securing the open source supply chain, #Anthropic's #Mythos model surfaced 23,000 potential vulnerabilities across 1,000 OSS projects, and Apple open-sourced its quantum-resistant crypto stack with formal verification proofs attached. The industry's response to supply chain risk is finally arriving at a scale that looks serious.

The problem is the math. The response is measured in billions of dollars and multi-year programs. The attack is measured in hours and automated tooling. Megalodon's six-hour window isn't an anomaly — it's a benchmark. Last week it was TeamPCP and the GitHub cascade. The week before, Laravel Lang and malicious postinstall hooks across 700 repos. The investment in defense is real and necessary, but it's being deployed against a threat that doesn't need a budget cycle to iterate. Project Lightwell will fund important work. Megalodon already shipped.

→ Week #22/2026 also covers: #ShinyHunters hit Carnival, Charter, and Mytheresa, the Dutch blocked a U.S. takeover of their national ID infrastructure, and Iran-linked actors are coding backdoors with AI assistance.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-22-2026-the-patch-is-scaling-so-is-the-attack

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

Otodus megalodon (Agassiz, 1843)
Provenienza : South Carolina, USA
Età : Miocene

nessun restauro - originale

Dimensioni: mm 12,63 - 4,97 inch

#megalodon #shark #fossils #fossile #dentedisqualo #fossilesqualo

https://geocollection.net/it/denti-di-squalo/878-otodus-megalodon-agassiz-1843.html

#TeamPCP war gestern – Auftritt #Megalodon

TeamPCP hatte auf GitHub rund 3.800 Repositories kontaminiert. Jetzt kommt Megalodon und vergiftet auf Anhieb 5.561 Repos (Stand 2026-05-22). Damit erleben wir einen weiteren, noch größeren Lieferketten-Angriff als mit TeamPCP. Etliche Fragen sind noch offen, beispielsweise ob ein Zusammenhang zwischen TeamPCP und Megalodon besteht (abgesehen davon, dass beides raffinierte Lieferketten-Angriffe sind). Spoiler: Megalodon scheint eigenständig und unabhängig von TeamPCP zu sein. Weshalb betreffen diese Angriffe uns alle, es werden doch nur Konten und Repos von Entwickler/inne/n korrumpiert?

Aus zwei Gründen betrifft das uns alle:

https://www.pc-fluesterer.info/wordpress/2026/05/29/teampcp-war-gestern-auftritt-megalodon/

#Allgemein #Empfehlung #Hintergrund #Warnung #Website #foss #github #npm

https://winbuzzer.com/2026/05/26/megalodon-hit-5561-github-repos-through-malicious-workflows-xcxwbn/

Megalodon GitHub Actions Backdoor Campaign Hits 5,561 GitHub Repos

#Megalodon #GitHub #GitHubActions #Cybersecurity #Malware

RE: https://infosec.exchange/@cyberseckyle/116641588574197964

It should be noted that this "Megalodon" has nothing to do with the #Fediverse API project or the old pink Megalodon Fediverse App.

"On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225.129:8443." #Mastodon #MastoAdmin #Megalodon #Github
https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories

Fediverse Project:
https://github.com/h3poteto/megalodon

Old Pink App:https://github.com/sk22/megalodon

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/