A practical incident response and hardening playbook for GitHub supply-chain malware, developer Macs, CI/CD, Docker, branch protection, Datadog detections, and AI-assisted cleanup.
Compromised GitHub identities propagate malware via repo files (Dockerfile, workflows, setup.js), stealing credentials across repos. Teams need push rulesets, branch protection, CODEOWNERS, identity containment; cleanup fails without stopping the attack first.
GitHub is not just a place where code lives. In most engineering organizations, it is part of the software delivery control plane.
That means a compromised developer machine, OAuth app, GitHub App, personal access token, SSH key, service account, CI runner, or automation script can become a supply-chain problem very quickly.
The dangerous pattern looks like this:
A trusted identity pushes a small repo change
→ the change modifies developer tooling, CI, package scripts, Docker, or repo rules
Learn how to apply a detection-based threat model to secure your GitHub ecosystem by identifying key inputs, identities, and…
The Megalodon supply chain attack poisoned over 5,500 GitHub repositories via automated commits injecting GitHub Actions…
GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks.
If any impact is discovered, customers will be notified via established incident response and notification channels.
GitHub NPM Supply Chain Attack - Investigation Report Date: May 29, 2026 Case ID:...
Use Datadog IaC Security to catch GitHub Actions misconfigurations in the diff, before they reach production.
