5,500 GitHub Repos Poisoned in Massive Supply Chain Attack
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 24, 2026
cybr.cx | Daily Digest — May 24, 2026
Critical Vulnerabilities
No new CVEs meeting publication threshold today. The feed is quiet — use the breathing room to verify patch status on last week's critical items and double-check your asset inventory. We'll be back with scored vulnerabilities as they emerge.
Headline News
Megalodon: 5,500+ GitHub Repositories Poisoned in Supply Chain Campaign
A supply chain attack campaign named Megalodon has compromised more than 5,500 GitHub repositories, marking one of the more significant repository-poisoning events seen this year. Attackers appear to have injected malicious code into legitimate-looking repos — and in some cases forked or typosquatted popular projects — to maximise the blast radius across downstream consumers. The scale of the campaign raises immediate concerns for any organisation pulling dependencies without rigorous integrity checks: CI/CD pipelines that trust GitHub-hosted packages without pinning commits or verifying hashes are directly in the firing line. Practitioners should audit their dependency graphs now, prioritising any packages pulled in the last 30 days, and treat any unfamiliar recent commit to a transitive dependency as suspect until proven otherwise.
Kash Patel-Linked Merchandise Site Weaponised to Deliver Malware
A merchandise website associated with FBI Director Kash Patel was reportedly compromised and used to serve malware to visitors before being taken offline. The attack is a textbook watering-hole scenario — target a site with a predictable, politically engaged audience, inject the payload, and harvest whoever walks through the door. What makes this notable beyond the headline name is the implicit targeting: anyone visiting a site linked to a senior federal law enforcement official is likely to include government employees, contractors, and law enforcement-adjacent personnel — exactly the kind of high-value targets a sophisticated adversary would want to profile or implant. It's a reminder that personal or affinity-based browsing habits create attack surface that corporate endpoint controls rarely account for. If you're running a threat intel or insider risk programme, browsing telemetry outside managed infrastructure is increasingly worth your attention.
FBI Flags Kali365 Phishing-as-a-Service Bypassing Microsoft 365 MFA
The FBI has issued a warning about Kali365, a phishing-as-a-service (PhaaS) kit specifically engineered to defeat multi-factor authentication and hijack Microsoft 365 accounts without ever obtaining the target's password. The kit operates by proxying authentication sessions in real time — an adversary-in-the-middle approach that intercepts session tokens rather than credentials, rendering traditional MFA effectively useless. This joins a growing catalogue of AiTM-capable PhaaS platforms that have commoditised what was once a technically demanding attack. Defenders should be accelerating adoption of phishing-resistant MFA — FIDO2/passkeys — wherever possible, and monitoring for session anomalies such as token reuse from unexpected geographic locations or unusual device fingerprints that might indicate a hijacked session rather than a legitimate login.
Schrödinger's Feed
Canada Bets on Quantum Repeaters to Close the Long-Distance Communications Gap
Canada has launched a national quantum networking challenge specifically targeting the development of quantum repeaters — the critical missing piece that would allow quantum-secured communications to extend beyond the short distances currently viable. Without repeaters capable of preserving quantum states across hundreds or thousands of kilometres, quantum key distribution remains a niche tool rather than a viable national infrastructure technology. It's genuinely hard physics: quantum states can't simply be amplified the way classical signals can, so repeaters have to perform entanglement swapping without measuring — and thus collapsing — what they're transmitting. Practitioners planning long-term cryptographic roadmaps should watch repeater development closely: if this challenge produces working results at scale, the timeline for practical quantum-secured wide-area networks compresses significantly, and with it the urgency of hybrid classical/PQC deployment strategies.
/dev/random
Reverse Engineering a Computer That Flew on the Space Shuttle
Someone has done the meticulous, wonderful work of reverse engineering the circuitry of a Spacelab computer from 1980 — the kind of hardware that ran real scientific experiments in low Earth orbit on a budget that would barely cover a mid-range rack server today. The teardown reveals an era of engineering where every transistor was a considered decision, documentation was written by humans for humans, and "security" meant surviving vibration and cosmic radiation rather than a threat model review. There's something quietly humbling about staring at 46-year-old aerospace logic and realising the people who designed it had no Stack Overflow, no LLM, and no take-backs once the shuttle was off the pad. Mandatory reading for anyone who's ever complained about legacy code.