A large-scale software supply chain attack dubbed “Megalodon” has compromised more than 5,500 repositories on GitHub, raising fresh concerns about the growing abuse of automated development pipelines and GitHub Actions workflows. The incident, uncovered by SafeDep, involved thousands of malicious commits that injected credential-stealing payloads into repositories over a short period of time.
According to researchers, the Megalodon campaign targeted repositories through automated commits that inserted malicious GitHub Actions workflows capable of harvesting sensitive credentials, cloud access keys, API tokens, and other secrets stored within continuous integration and continuous delivery (CI/CD) environments.
Thousands of Malicious GitHub Actions Commits Detected Within Hours
The attack unfolded on May 18, 2026, when attackers pushed more than 5,700 malicious commits across thousands of repositories within six hours. SafeDep’s investigation found that a total of 5,718 commits were deployed between approximately 11:36 UTC and 17:48 UTC, affecting 5,561 distinct GitHub repositories.
Researchers said the Megalodon operation relied heavily on GitHub Actions to establish persistence and silently collect sensitive information from infected development environments. The attackers deployed two separate payloads as part of the campaign. One payload introduced a new GitHub Actions workflow configured to run on every push and pull request. The second payload replaced existing workflows tied to specific triggers, effectively creating dormant backdoors that could later be activated remotely.
The malicious commit associated with the infection was reportedly authored by a user identified as “build-bot” and pushed on May 18. During its investigation into the linked email address, the researchers uncovered 2,878 commits made on the same day. Researchers also identified another 2,841 commits tied to a second email address connected to the operation.
Researchers noted that all 5,718 commits tied to the Megalodon campaign landed within the same six-hour timeframe, indicating a highly coordinated and automated attack strategy. The scale and speed of the operation highlighted how threat actors are weaponizing GitHub Actions and software development workflows to distribute malicious code at scale.
Megalodon Malware Targeted CI/CD Secrets and Cloud Credentials
On compromised systems, the malware attempted to exfiltrate a broad range of sensitive data. According to researchers, the stolen information included CI environment variables, AWS credentials, Google Cloud Platform access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configuration files, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, API keys, and numerous other secrets commonly stored in development pipelines.
Another significant concern raised by researchers involved the attackers’ use of the “workflow_dispatch” feature within GitHub Actions. According to researchers, the malicious workflow leveraged this trigger mechanism to establish dormant backdoors that could later be activated through the GitHub API using stolen GitHub tokens.
Researchers explained that the “workflow_dispatch” mechanism is exempt from GitHub’s anti-recursion protections, which normally prevent workflows from spawning additional workflow runs through GitHub token-triggered events. This loophole potentially allowed attackers to reactivate compromised workflows even after the initial breach.
Searchers Links Megalodon Campaign to Compromised Open-Source Packages
The researchers discovered the Megalodon campaign after identifying malicious versions of the Tiledesk package, an open-source live chat and chatbot platform. The infected packages were reportedly published between May 19 and May 21, shortly after the malicious commits were introduced into the source repositories.
In its analysis, SafeDep stated that the same NPM account, “eljohnny” using the email address [email protected], had published both the legitimate version 2.18.5 and the compromised versions of the package. Researchers emphasized that the attacker did not directly compromise the NPM account itself.
“The attacker never touched the NPM account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it,” SafeDep explained.
The Megalodon incident emerged shortly after NPM announced new security measures aimed at limiting similar supply chain attacks. Last week, NPM invalidated all granular access tokens with write permissions that bypassed two-factor authentication protections. The move was intended to reduce the risk of attacks resembling the earlier Mini Shai-Hulud campaign.
However, cybersecurity researchers warned that token protection alone may not fully address the broader issue of repository compromise and malicious code propagation.
Security company Ox Security stated that while stricter token controls may reduce account hijacking risks, they do not solve the underlying problem of compromised repositories distributing malicious code through trusted development ecosystems.
“If platforms continue allowing any type of code to be uploaded without serious vetting, the number of attacks will only increase,” Ox Security noted.
The company also warned that the Megalodon campaign could represent the beginning of a larger wave of attacks targeting developers and open-source ecosystems globally.
“We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide,” the firm said.
