Securing code repository access requires implementing multiple layers of protection: multi-factor authentication (MFA), strong authentication methods like SSH, role-based access control, branch protection policies, and secret scanning. Recent incidents show why this matters—in May 2026, over 5,500 GitHub repositories were simultaneously infected when the Megalodon supply chain attack injected malicious GitHub Actions workflows into vulnerable codebases across a six-hour window. The same month, a malicious version of the Nx Console VS Code extension compromised a GitHub employee’s device before being removed from the Visual Studio Marketplace 18 minutes later. These attacks underscore that repository security is no longer optional: a single compromised account or unpatched vulnerability can give attackers direct access to your source code, credentials, and deployment pipelines. The stakes extend beyond internal teams.
Regulators now mandate repository security controls. The New York Department of Financial Services (NYDFS) requires multi-factor authentication for all user access to information systems, effective immediately with enforcement beginning November 1, 2025. HIPAA requires the same for healthcare organizations. Microsoft, Salesforce, and other major platforms are now enforcing MFA across all tenants by mid-2026. Failing to implement these controls exposes organizations to regulatory penalties, data breaches, and supply chain attacks that can reach thousands of downstream users.
Table of Contents
- Why Recent Code Repository Attacks Matter
- SSH, HTTPS, and Personal Access Tokens: Understanding Your Authentication Options
- Multi-Factor Authentication as the Mandatory Layer
- Role-Based Access Control and Least Privilege
- Branch Protection, Code Review, and Preventing Direct Pushes
- Secret Scanning and Push Protection
- Data Encryption and Compliance Enforcement
Why Recent Code Repository Attacks Matter
The Megalodon attack in May 2026 demonstrated the scale of modern repository threats. The attack automatically committed malicious GitHub Actions workflows to 5,561 distinct repositories within a single six-hour window (11:36-17:48 UTC). This wasn’t a targeted attack on security-conscious companies—it was an automated spray that infected repositories indiscriminately, relying on weak access controls and lack of commit verification. The attackers didn’t need to crack passwords or steal credentials. They exploited repositories where push access was insufficiently restricted, branch protection wasn’t enforced, or automated workflows executed without human review.
The same threat actor group (TeamPCP) demonstrated they could also compromise the software supply chain at the tooling level. A poisoned version of the Nx Console VS Code extension remained live on the Visual Studio Marketplace until GitHub removed it. While the initial breach was limited to a single GitHub employee’s device, the extension reached an unknown number of developers before removal. GitHub Enterprise customers have also faced critical vulnerabilities—CVE-2026-3854 represents a remote code execution flaw affecting both GitHub Enterprise Server and GitHub.com, potentially exposing millions of repositories to direct exploitation. These incidents reveal a common pattern: attackers don’t always need zero-days or sophisticated hacking. They target the weakest link in repository access controls—unreviewed code, missing MFA, weak authentication methods, or excessive permissions granted to service accounts.
SSH, HTTPS, and Personal Access Tokens: Understanding Your Authentication Options
The method you use to authenticate with your repository matters more than many teams realize. SSH uses cryptographic key pairs, meaning your private key never travels over the network and cannot be brute-forced like a password. HTTPS authentication typically relies on passwords or tokens, which remain vulnerable to credential stuffing, phishing, and data breaches if stored improperly. In enterprise environments, SSH is strongly preferred because it ensures encrypted transmission of source code and eliminates the need to share passwords across multiple developers and machines. However, SSH has a critical weakness: private key compromise. If a developer’s private key is stolen, an attacker gains full access to every repository the developer can access. Personal Access Tokens (PATs) offer fine-grained control as an alternative—you can scope a token to specific repositories, limit its permissions (read-only, workflow access, etc.), and set automatic expiration dates.
A PAT that expires in 30 days is inherently less damaging than a private key compromised from a developer’s laptop three years ago. Yet PATs carry their own risk: developers often commit them to repositories, expose them in CI logs, or store them insecurely. Organizations using GitHub, GitLab, or Bitbucket should implement secret scanning and push protection to block commits containing exposed tokens before they reach the repository. The security tradeoff is real. SSH provides superior authentication but requires operational discipline—developers must protect their private keys. PATs provide better granularity and expiration but remain long-lived credentials susceptible to leakage. Neither method alone is sufficient; both must be paired with MFA.
Multi-Factor Authentication as the Mandatory Layer
MFA is no longer a recommendation—it is regulatory requirement. The NYDFS mandate requires MFA for all user access to information systems as of November 1, 2025, with no exceptions or alternative measures. HIPAA requires the same for all covered entities and business associates. Microsoft Entra has set a deadline of July 1, 2026, for all organizations to enable MFA on their tenants, allowing a grace period only for those with technical barriers. Salesforce has made org-wide MFA mandatory with no option to disable it. MFA works by requiring a second authentication factor beyond your password—typically a time-based code from an authenticator app, a security key, or a push notification to a trusted device.
SMS-based MFA is better than nothing, but authenticator apps and security keys are significantly more resistant to phishing and SIM-swap attacks. In 2026, FIDO-based authentication (security keys) has become the gold standard, supported by AWS Identity and Access Management and increasingly by GitHub, GitLab, and other major platforms. FIDO standards use public-key cryptography, meaning your identity is verified through a hardware token or biometric rather than a code that can be intercepted. The limitation is friction. MFA increases login time, can lock users out if their authenticator device is lost, and requires backup recovery codes stored securely. Organizations must educate users on recovery procedures and ensure security keys or authenticator apps are backed up properly. However, the cost of friction is far lower than the cost of a compromised repository.
Role-Based Access Control and Least Privilege
Not every developer needs administrative access to your repositories. Role-based access control (RBAC) segments permissions into predefined roles: Administrator (full access), Developer (push to branches, create pull requests), and Viewer (read-only access). This reduces human error and insider threats. A junior developer doesn’t need the ability to delete repositories or modify branch protection settings. A contractor working on a feature branch doesn’t need access to production secrets.
However, RBAC only works if roles are configured correctly. A common misconfiguration is granting “Developer” access when “Viewer” would suffice, or allowing temporary access that is never revoked. Organizations should conduct quarterly access reviews, removing access for departed employees and contractors immediately. Service accounts (automated systems that push code or trigger deployments) should use the most restrictive permissions possible—often read-only access or write access to a single branch, never full administrative privileges. The 2026 Megalodon attack exploited repositories where push access was insufficiently restricted, allowing the attack to run automated commits without branch protection or code review.
Branch Protection, Code Review, and Preventing Direct Pushes
Branch protection policies prevent developers from pushing directly to critical branches like main or master without code review. At minimum, enforce a requirement that at least one other developer reviews and approves changes before they merge. This is not a security theater—the Megalodon attack could have been mitigated if repositories required human review of any commits that created new GitHub Actions workflows. A stronger configuration dismisses stale reviews if the code changes, prevents administrators from bypassing review requirements, and requires status checks to pass before merge (such as automated tests or security scanning).
Organizations should protect not just main but any branch that triggers deployments, runs scheduled jobs, or contains sensitive logic. The limitation is speed. Code review requires human time and adds latency to deployments. Some teams respond by relaxing review requirements for “minor” changes—a decision that enabled the Megalodon attack, which injected malicious workflows into repositories where review policies were weak or non-existent. The tradeoff between velocity and safety is real, but modern code review tools and CI/CD systems make the friction manageable.
Secret Scanning and Push Protection
Developers routinely commit API keys, database passwords, and OAuth tokens to repositories by accident. Secret scanning automatically detects these leaks by scanning for patterns matching known secret formats. Push protection takes this further by blocking commits containing detected secrets before they reach the repository.
GitHub, GitLab, and Bitbucket all offer native secret scanning; third-party tools like TruffleHog and GitGuardian provide additional scanning across your entire git history. A critical example: if a developer commits a GitHub personal access token with repo:write permissions, an attacker who finds that token in the repository’s git history can push code to your main branch indefinitely. Scanning must cover not just new commits but your entire repository history, searching for secrets already committed. Organizations should configure scanning to scan all branches, not just main, and should educate developers on how to remove secrets from history using tools like git-filter-repo.
Data Encryption and Compliance Enforcement
Code repositories must encrypt data both in transit and at rest. Data in transit should be encrypted using TLS/SSL—all modern git hosting platforms enforce this. For on-premises or private cloud repositories, encrypt the underlying storage volumes and ensure database backups are encrypted. This prevents attackers who gain physical access to servers from reading your source code directly off disk.
Compliance enforcement is the final layer. NYDFS, HIPAA, and other regulations now require MFA and access controls to be verified and documented. Organizations should audit their repositories quarterly, verify that MFA is enabled for all users, confirm that branch protection policies are active on critical branches, and verify that administrative access is minimal. Microsoft’s July 1, 2026, deadline for Entra MFA enforcement means that organizations with legacy systems must either upgrade by then or lose access to Microsoft services. The same pattern will likely spread to other platforms throughout 2026 and beyond.