GitHub Supply-Chain Attack Hit 5,500 Repos; Drupal RCE Exploited in Wild
Megalodon campaign stole CI secrets from 5,500+ GitHub repositories via malicious workflows. Drupal CVE-2026-9082 sees active exploitation across thousands of sites.
GitHub Actions Becomes Vector for 5,500-Repository Credential Theft
A supply-chain campaign called Megalodon infected over 5,500 public GitHub repositories by injecting malicious workflows into GitHub Actions pipelines. Attackers used fake automated commits to add CI workflows that exfiltrate credentials, secrets, keys, and tokens from build pipelines. The attack abused GitHub Actions' ability to run code on pull requests and commits, targeting the CI/CD layer rather than developer endpoints.
The attack method was direct: compromised or malicious contributors injected malicious YAML workflow files into repositories. No GitHub platform exploit has been reported. The workflows were designed specifically to steal CI/CD secrets and tokens during build processes, exposing authentication material for downstream systems and cloud infrastructure.
For enterprises using GitHub Actions, this shifts budget priorities immediately. Supply-chain security controls are no longer optional. Organizations should budget for a dedicated supply-chain security layer if they lack one—tools from Socket, Snyk, Cycode, GitGuardian, or ReversingLabs—plus enhanced secrets management through HashiCorp Vault, AWS Secrets Manager, or equivalent. In multi-thousand-developer organizations, combined GitHub Advanced Security and software composition analysis deployments run into low-to-mid six figures annually. The alternative is exposed credentials in production environments.
Vendor evaluation criteria for source control and CI platforms will tighten. RFPs for GitHub versus GitLab versus CircleCI versus Azure DevOps will now require fine-grained workflow permissioning, built-in secret scanning, and anomaly detection on CI logs. Many enterprises will mandate code-owner approval for workflow changes, pushing teams toward GitHub Enterprise tiers that support these policies at scale. Token rotation SLAs and enhanced logging raise operational overhead, likely justifying additional DevSecOps headcount.
DNS Vulnerability Exposes 88 Million Domains to C2 Bypass
A DNS vulnerability dubbed Underminr affects approximately 88 million domains and allows attackers to hide command-and-control traffic behind trusted domains. The flaw enables bypassing DNS filtering by abusing how certain DNS and security products resolve or trust domain infrastructure. This is not a single vendor CVE but a systemic DNS ecosystem issue.
The direct impact falls on secure web gateway and DNS filtering products: Cisco Umbrella, Zscaler Internet Access, Palo Alto Networks DNS Security, Cloudflare Gateway, Akamai Enterprise Threat Protector, Infoblox BloxOne Threat Defense. Vendors with stronger eDNS/TLS inspection, SNI analysis, and behavioral detection plus integrated endpoint and network telemetry are better positioned. DNS-only security vendors face increased scrutiny versus SASE platforms that correlate multiple layers.
Enterprises should treat DNS filtering as one signal among many, not a primary control. This strengthens purchasing arguments for full SSE/SASE suites that bundle secure web gateway, CASB, DLP, ZTNA, and DNS security as components rather than standalone defenses. For DNS security and SWG RFPs, buyers will ask for specific detection approaches for DNS-bypassing C2—TLS fingerprinting, JA3, HTTP/2 behavior analysis, ML-based anomaly detection—and de-prioritize vendors relying primarily on domain reputation or static blocklists.
Budget reallocation is already starting. Enterprises heavily invested in standalone DNS filtering should re-evaluate renewals and shift spend into SASE or XDR platforms. Organizations may maintain DNS tools but freeze expansion, reallocating incremental budget to more comprehensive network detection.
Drupal Critical Vulnerability Sees Exploitation Across Thousands of Sites
Drupal disclosed and patched CVE-2026-9082, a highly critical vulnerability already seeing active exploitation attempts. Security firms report attacks against thousands of websites shortly after disclosure. The flaw allows unauthenticated exploitation leading to information disclosure, privilege escalation, and remote code execution.
Drupal powers hundreds of thousands of sites, many in government, higher education, and enterprise content management environments. Unauthenticated RCE vulnerabilities in widely deployed CMS platforms create immediate risk. Organizations running Drupal must patch immediately or isolate vulnerable instances behind additional access controls.
For enterprise buyers, this reinforces two purchasing considerations. First, web application firewall and runtime application self-protection tools—Cloudflare WAF, Imperva, F5, Signal Sciences—become more valuable when CMS patching lags or is blocked by operational constraints. Second, asset discovery and vulnerability management platforms—Qualys, Rapid7, Tenable—must reliably identify CMS versions across distributed environments. The gap between disclosure and patching remains the primary risk window.
What to Watch
GitHub will face pressure to harden GitHub Actions defaults, particularly around workflow approval requirements and token scoping. Enterprises should audit existing repositories for workflow files and restrict who can modify CI pipelines. For DNS security, expect vendors to release detection signatures for Underminr-style bypass techniques, but the underlying issue suggests DNS alone cannot secure egress traffic. Budget cycles should reflect that reality. Drupal exploitation will likely accelerate—organizations that have not patched CVE-2026-9082 within 72 hours of disclosure should assume attempted compromise and audit logs accordingly.
Technology decisions, clearly explained.
Weekly analysis of the tools, platforms, and strategies that matter to B2B technology buyers. No fluff, no vendor spin.
