Security researchers at Safedep disclosed a large-scale software supply chain attack dubbed “Megalodon” that compromised 5,561 public GitHub repositories in roughly six hours through malicious automated commits.
The attack injected rogue GitHub Actions workflows designed to steal CI/CD secrets, CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other types of secrets when affected workflows executed.
Researchers said the campaign pushed 5,718 malicious commits that appeared to come from trusted automated tooling, allowing attackers to silently poison repositories without directly modifying application code.
The attack has been linked to the broader TeamPCP supply chain campaign, which has recently targeted npm packages, developer tools, and CI/CD ecosystems through credential theft and release pipeline compromise. Researchers said organizations with affected repositories should review workflow histories, rotate exposed secrets, and inspect cloud and CI/CD environments for signs of unauthorized access.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Megalodon is a persistence operation. The dormant backdoors injected into thousands of repositories produce no visible CI activity until the attacker triggers them remotely through the GitHub API. Credential rotation alone does not resolve the compromise when the harvesting mechanism is still embedded in the workflow. Every rotation hands the attacker a fresh set.
“This follows a pattern we have tracked since March 2026. Credentials stolen in one attack fuel the next. TeamPCP compromised a vulnerability scanner to reach LiteLLM on PyPI, and the campaign has since expanded to TanStack and GitHub itself. Megalodon extends that playbook to thousands of repositories simultaneously, converting build pipelines into credential harvesting infrastructure.
“TeamPCP publicly released the Shai-Hulud worm source code six days before Megalodon struck over 5,500 repositories. The tooling to compromise build pipelines at scale is now commodity infrastructure. Zero trust has been applied to users and networks for years. Build pipelines and CI/CD workflows deserve the same scrutiny. Any organization that treats its build infrastructure as implicitly trusted is operating on assumptions that threat actors have already invalidated.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Megalodon campaign demonstrates that software supply chain attacks are evolving from hand-crafted package manipulation into industrial-scale, automated pipeline poisoning. By executing thousands of automated commits within a single afternoon, the threat actors exploited widespread architectural flaws in modern development pipelines, specifically the lack of strict branch protection rules and unhardened GitHub Actions environments. For enterprise security leaders, the primary risk is not application tampering, but the massive, silent harvest of highly privileged infrastructure keys and OpenID Connect tokens that connect development systems directly to production cloud assets.
“Security executives must treat this incident as a critical mandate to move past basic dependency tracking; they must immediately enforce strict, global branch protection rules that require signed commits, universally implement the principle of least privilege across all continuous integration workflows, and mandate an immediate, automated rotation of all enterprise secrets to neutralize any latent credentials that may have already been swept up in this automated net.
Critical Takeaways
- “Pipelines are the new perimeter: Attackers have realized it is far more efficient to poison the automated workflow files that hold the keys to your cloud kingdoms than it is to search for vulnerabilities in your application source code.
- “The illusion of trusted identities: Relying on automated commit messages or friendly bot personas to bypass pull request reviews creates a massive security blind spot that automated scripts can exploit across thousands of repositories simultaneously.
- “Ephemeral tokens require hardening: Unchecked GITHUB_TOKEN permissions within actions files can allow automated scripts to read repository contents and exfiltrate environment variables, requiring a hard enforcement of read-only defaults across the organization.
“When an automated campaign can backdoor over five thousand repositories in less time than it takes to complete an executive status meeting, your manual pull request review policy is no longer a defense mechanism, it is a historical artifact.
“Moving forward, security leaders must assume that every continuous integration environment is a hostile network, shifting their defense strategy from preventing commits to strictly limiting the blast radius of runtime tokens.”
Ryan McCurdy, VP of Marketing, Liquibase:
“Megalodon is a reminder that the attack surface is no longer just the code. It is the automation trusted to move code into live environments. Once a compromised workflow can reach secrets, cloud credentials, and database connection strings, the pipeline stops being plumbing and starts acting like a privileged identity. That is the shift enterprise security models still have not caught up to.”
Time to shift your strategy. Because the attack surface has become broader. And you’re very much the target.
Megalodon supply chain attack infects more than 5,500 GitHub repositories
Posted in Commentary with tags Megalodon on May 27, 2026 by itnerdSecurity researchers at Safedep disclosed a large-scale software supply chain attack dubbed “Megalodon” that compromised 5,561 public GitHub repositories in roughly six hours through malicious automated commits.
The attack injected rogue GitHub Actions workflows designed to steal CI/CD secrets, CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other types of secrets when affected workflows executed.
Researchers said the campaign pushed 5,718 malicious commits that appeared to come from trusted automated tooling, allowing attackers to silently poison repositories without directly modifying application code.
The attack has been linked to the broader TeamPCP supply chain campaign, which has recently targeted npm packages, developer tools, and CI/CD ecosystems through credential theft and release pipeline compromise. Researchers said organizations with affected repositories should review workflow histories, rotate exposed secrets, and inspect cloud and CI/CD environments for signs of unauthorized access.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Megalodon is a persistence operation. The dormant backdoors injected into thousands of repositories produce no visible CI activity until the attacker triggers them remotely through the GitHub API. Credential rotation alone does not resolve the compromise when the harvesting mechanism is still embedded in the workflow. Every rotation hands the attacker a fresh set.
“This follows a pattern we have tracked since March 2026. Credentials stolen in one attack fuel the next. TeamPCP compromised a vulnerability scanner to reach LiteLLM on PyPI, and the campaign has since expanded to TanStack and GitHub itself. Megalodon extends that playbook to thousands of repositories simultaneously, converting build pipelines into credential harvesting infrastructure.
“TeamPCP publicly released the Shai-Hulud worm source code six days before Megalodon struck over 5,500 repositories. The tooling to compromise build pipelines at scale is now commodity infrastructure. Zero trust has been applied to users and networks for years. Build pipelines and CI/CD workflows deserve the same scrutiny. Any organization that treats its build infrastructure as implicitly trusted is operating on assumptions that threat actors have already invalidated.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Megalodon campaign demonstrates that software supply chain attacks are evolving from hand-crafted package manipulation into industrial-scale, automated pipeline poisoning. By executing thousands of automated commits within a single afternoon, the threat actors exploited widespread architectural flaws in modern development pipelines, specifically the lack of strict branch protection rules and unhardened GitHub Actions environments. For enterprise security leaders, the primary risk is not application tampering, but the massive, silent harvest of highly privileged infrastructure keys and OpenID Connect tokens that connect development systems directly to production cloud assets.
“Security executives must treat this incident as a critical mandate to move past basic dependency tracking; they must immediately enforce strict, global branch protection rules that require signed commits, universally implement the principle of least privilege across all continuous integration workflows, and mandate an immediate, automated rotation of all enterprise secrets to neutralize any latent credentials that may have already been swept up in this automated net.
Critical Takeaways
“When an automated campaign can backdoor over five thousand repositories in less time than it takes to complete an executive status meeting, your manual pull request review policy is no longer a defense mechanism, it is a historical artifact.
“Moving forward, security leaders must assume that every continuous integration environment is a hostile network, shifting their defense strategy from preventing commits to strictly limiting the blast radius of runtime tokens.”
Ryan McCurdy, VP of Marketing, Liquibase:
“Megalodon is a reminder that the attack surface is no longer just the code. It is the automation trusted to move code into live environments. Once a compromised workflow can reach secrets, cloud credentials, and database connection strings, the pipeline stops being plumbing and starts acting like a privileged identity. That is the shift enterprise security models still have not caught up to.”
Time to shift your strategy. Because the attack surface has become broader. And you’re very much the target.
Leave a comment »