Megalodon Supply Chain Attack Compromises 5,500+ GitHub Repositories
On May 18, 2026, a large-scale supply chain attack campaign tracked as "Megalodon" injected malicious GitHub Actions workflows into over 5,500 open-source repositories within a single six-hour window. The attack represents the largest supply chain poisoning campaign in GitHub's history, targeting repositories used by millions of developers worldwide.
According to a follow-up analysis by Hudson Rock published on May 23, the attack originated from info-stealer infections that enabled the theft of GitHub credentials, allowing the threat actor to push malicious payloads directly into repositories. The compromised workflows were designed to exfiltrate secrets — including API keys, tokens, and environment variables — from CI/CD pipelines.
Step Security's technical breakdown revealed that the malicious workflows leveraged GitHub Actions' trusted execution environment to harvest secrets from both the targeted repositories and any downstream projects that depended on them. The scale and speed of the attack — over 5,500 repos in six hours — was achieved through automated credential stuffing and stolen session tokens rather than sophisticated zero-day exploitation.
The incident underscores a growing risk in the software supply chain: as organizations increasingly rely on automated CI/CD pipelines, the blast radius of a single compromised repository expands dramatically. Organizations should audit their GitHub Actions workflows, enable branch protection rules, and rotate secrets that may have been exposed.
Megalodon proves that supply chain attacks are scaling through automation — the threat isn't sophisticated zero-days but bulk credential theft targeting the CI/CD layer where secrets live.
How did the Megalodon attack compromise so many repositories?
It used credentials stolen via info-stealer malware to automatically inject malicious GitHub Actions workflows into repositories, exfiltrating secrets from CI/CD pipelines across 5,500+ repos in under six hours.
What should developers do to protect their repositories?
Audit GitHub Actions workflows, enable branch protection rules, use OIDC instead of long-lived tokens, and rotate any secrets that may have been exposed during the May 18 window.