Megalodon hit 5,561 GitHub repos by poisoning CI workflows
Original: Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack View original →
The attack surface has moved deeper into the build pipeline. Megalodon, a large automated supply-chain campaign reported by SafeDep and covered by SecurityWeek, injected malicious GitHub Actions workflows into thousands of repositories so attackers could harvest credentials from CI/CD environments.
SecurityWeek reported that more than 5,700 malicious commits landed across 5,561 repositories during a six-hour window on May 18, 2026. The campaign used fake automated maintenance commits to add new workflows or alter existing ones. Some workflows were designed to run on push and pull request events, while others created dormant backdoors that could be triggered later through the GitHub API.
The payload list shows why CI compromise is so dangerous. According to the report, the malware attempted to exfiltrate CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and other secrets. A CI runner often holds the permissions needed to publish packages, deploy infrastructure, or access cloud accounts, making it a high-value target even when the application code itself looks untouched.
The campaign surfaced after malicious versions of the Tiledesk package were found. SecurityWeek, citing SafeDep, said the attacker did not need to compromise the npm account directly. Instead, the GitHub repository was poisoned, and the maintainer later published from that tainted source. That pattern is harder for teams to notice because workflow files often receive less review than application changes.
The immediate defensive lesson is concrete: audit workflow file changes, require review for `.github/workflows`, reduce default token permissions, and inspect cloud OIDC token requests from unexpected workflow runs. Teams should also look closely at May 18 commits using maintenance-style authors such as build-bot, auto-ci, ci-bot, or pipeline-bot.
Megalodon is not only a GitHub incident. It is a warning that CI/CD automation has become part of the production attack surface. Package scanners can miss the point if the build machinery that creates the package has already been altered.
Related Articles
GitHub confirmed on May 20, 2026 that threat group TeamPCP exfiltrated approximately 3,800 internal repositories after a GitHub employee installed a trojanized Nx Console VS Code extension that was live on the marketplace for just 11 minutes. Stolen credentials include 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS tokens; TeamPCP is seeking $50,000 for the data on underground forums.
Bumblebee is a read-only scanner for macOS and Linux developer endpoints. Perplexity says it checks risky packages, MCP configs, editor extensions, and browser extensions without invoking package managers or install scripts.
TrapDoor pushed more than 34 malicious packages across npm, PyPI, and Crates.io after May 22. The sharpest twist is not just credential theft, but the attempt to poison .cursorrules and CLAUDE.md files read by AI coding assistants.
Comments (0)
No comments yet. Be the first to comment!