safedep.io
Megalodon Campaign Infects Over 5,500 GitHub Repositories with Malware
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On May 18, 2026, an automated cyber campaign named Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories within six hours. The attackers used forged identities and dummy accounts to inject malicious GitHub Actions workflows that exfiltrate CI/CD secrets, cloud credentials, and other sensitive data to a command-and-control server. Two payload variants were deployed: one that adds a new workflow triggered by every push and pull request, and another that replaces existing workflows with dormant backdoors. The npm package @tiledesk/tiledesk-server was notably affected, with compromised versions published between May 19 and May 21. The attack highlights vulnerabilities in the software supply chain, with many repositories still infected weeks later. Researchers believe the attackers leveraged valid credentials obtained from previous supply chain breaches. As of now, the malicious commits remain active on the master branches of affected repositories.
Key Points: • Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours. • Attackers used forged identities to inject malicious workflows that steal sensitive data. • The npm package @tiledesk/tiledesk-server was among the most affected, with backdoored versions published.