{"id":256996,"date":"2026-05-25T03:40:00","date_gmt":"2026-05-25T07:40:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/25\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/"},"modified":"2026-05-27T12:40:20","modified_gmt":"2026-05-27T16:40:20","slug":"over-5500-github-repositories-infected-in-megalodon-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/25\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/","title":{"rendered":"Over 5,500 GitHub Repositories Infected in &#8216;Megalodon&#8217; Supply Chain Attack"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/\">Over 5,500 GitHub Repositories Infected in &#8216;Megalodon&#8217; Supply Chain Attack<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/\">https:\/\/www.securityweek.com\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-25 03:40:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>More than 5,500 GitHub repositories were infected with malware in a supply chain attack that relies on automated commits, security researchers warn.<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The campaign, dubbed Megalodon, relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets.<\/p>\n<p class=\"wp-block-paragraph\">The workflows, SafeDep says, were injected through over 5,700 malicious commits pushed to the impacted repositories within a six-hour window, on May 18.<\/p>\n<p class=\"wp-block-paragraph\">According to the cybersecurity firm, the attackers deployed two payloads as part of the attack. One was designed to add a new workflow that would be triggered on every push and pull request, and another that replaced existing workflows with specific triggers, creating dormant backdoors.<\/p>\n<p class=\"wp-block-paragraph\">On infected machines, the malware would exfiltrate all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI\/CD tokens, and dozens of other types of secrets.<\/p>\n<p class=\"wp-block-paragraph\">Megalodon, SafeDep explains, was discovered after malicious versions of the Tiledesk package, an open source live chat and chatbot platform, were identified. The infected packages were published between May 19 and May 21.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p class=\"wp-block-paragraph\">\u201cThe same NPM account, eljohnny ([email\u00a0protected]), published both the clean 2.18.5 and the compromised versions. The attacker never touched the NPM account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it,\u201d SafeDep says.<\/p>\n<p class=\"wp-block-paragraph\">The malicious commit that led to the infection was pushed on May 18, authored by \u2018build-bot\u2019. SafeDep\u2019s investigation into the associated email address uncovered a total of 2,878 commits made on the same day, along with an additional 2,841 commits made via a second email address.<\/p>\n<p class=\"wp-block-paragraph\">\u201cAll 5,718 commits landed on the same day: May 18, 2026, across&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over 5,500 GitHub Repositories Infected in &#8216;Megalodon&#8217; Supply Chain Attack https:\/\/www.securityweek.com\/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack\/ Publish Date: 2026-05-25 03:40:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":256997,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/03\/GitHub.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-256996","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256996"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=256996"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256996\/revisions"}],"predecessor-version":[{"id":256998,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256996\/revisions\/256998"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/256997"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=256996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=256996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=256996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}