How Pantheon Shut Down a Trojan Attack on Our GitHub Repositories
On May 29th, an attacker used compromised GitHub credentials belonging to a Pantheon engineer to push malicious code to the development branches of multiple repositories, many of which are owned by Pantheon. We detected the anomaly, and Pantheon’s security policies prevented the attack from modifying branches that affect production services or customer sites.
Because the malicious code was blocked from our distribution streams and production environments, the attack was effectively thwarted, and customers’ websites were never at risk.
The attack pushed amended commits to existing pull requests and undeleted old branches that introduced malware while retaining the original timestamp and authorship. The malicious code, a trojan, was added to existing JavaScript configuration files that were not modified in the original commit. Here is an example of the malicious code visible on a public repository:
This attack fits a growing industry-wide pattern targeting developers' local machines. Our analysis of this obfuscated code indicates that it seeks secrets, tokens, and other valuable credentials to exfiltrate to the attackers' command-and-control server. It is intended to do so in both continuous integration and local development environments.
After an extensive review, we have found no evidence that repositories that received these pushes made any releases that would have been downloaded, deployed, or otherwise used by customers.
How Pantheon responded to the attack
Within hours of detecting anomalous behavior on May 29, 2026, we completely removed the compromised credentials.
We then deleted all affected branches and rotated secrets on all repositories that received malicious code pushes. We began a forensic analysis of the laptop where the compromise started. We also undertook an organization-wide review to ensure that all repositories follow these policies:
- Automatically block all force-pushes.
- Restrict unauthorized branch deletions.
- Mandate cryptographically signed commits across all codebases.
We proactively disabled GitHub's Classic Personal Access Tokens at the enterprise level to fundamentally eliminate token pivot risks. Additionally, we purged all existing personal access tokens, allowing regeneration only where a documented necessity existed.
Our engineering teams identified and systematically reverted or deleted the impacted development branches. This included reverting a commit on the development branch of our WordPress upstream repository.
How Pantheon distributes WordPress and what it means for customers
Pantheon distributes updates to WordPress Core to our customers' sites via our own copy of WordPress on GitHub. While we created this repository originally to simplify database credential handling and other platform compatibility considerations, it has become increasingly valuable as a means of protecting the software supply chain. Pantheon's product allows customers to pull changes only from the master branch into their site.
Pantheon engineers use a mix of automated tests and manual reviews before any changes are merged to this protected branch. These extra steps protect against the various threats to the stability of WordPress Core.
While multiple development branches in this repository received malicious pushes, the master branch used to deliver updates directly to customer environments was not altered.
Our SecOps team is monitoring repository history rewrites, ensuring continuous visibility as we return to normal operations.
Pantheon’s commitment to security
As the threat landscape evolves and the number of supply chain attacks increases, no platform alone can guarantee immunity from every attempt. What matters is detection, response, and the people behind it. We remain vigilant and committed to ensuring professional web teams can work with safety and confidence, knowing you can trust the Pantheon team to openly communicate about any incidents that may arise and actively defend your digital presence around the clock.
