Now Playing
GitHub Poisoned at Scale: Megalodon, Laravel-Lang & YellowKey BitLocker
Audio is available on Spreaker — see link below.
Researchers confirm infostealers as the direct entry point for Megalodon, a supply chain attack that poisoned 5,561 GitHub repositories in six hours. Plus: the Laravel-Lang credential stealer, Packagist's compromised Composer packages, npm's staged publishing rollout, and Microsoft's YellowKey BitLocker bypass mitigation.
Audio is available on Spreaker — see link below.
Five thousand five hundred and sixty-one GitHub repositories were poisoned in a single six-hour window. That's the opening number for what security researchers are calling Megalodon, and it tells you something important about where software supply chain attacks are heading.
Analysis published on May twenty-third looked at the Megalodon-affected GitHub accounts and found that thirty-three percent of them, three hundred and thirty-one out of nine hundred and seventy-eight, directly matched machines known to be compromised by infostealer malware. That's not correlation.
Two days after Megalodon, a separate campaign hit the Laravel-Lang PHP ecosystem. Attackers rewrote git tags across more than seven hundred package versions between May twenty-second and twenty-third, injecting a credential stealer targeting Windows, Linux, and macOS.
GitHub's response on May twenty-third was substantive. npm now requires two-factor approval before a package can be published, a staged publishing model that gates releases behind active confirmation. New install flags, allow-file and allow-remote, let teams restrict installs to registry sources only, blocking the kind of external binary fetch the Packagist attack relied on.
Separate from the supply chain wave, Microsoft released a mitigation on May twentieth for CVE-2026-45585, the YellowKey BitLocker bypass. The vulnerability requires physical access, a USB port, and WinRE, Windows Recovery Environment, to bypass drive encryption without specialized tools.
The thread connecting most of this is the infostealer-to-supply-chain pipeline. Credential theft from developer machines is now a confirmed precondition for attacks operating at the scale of Megalodon.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.