GitHub Hit with Another Major Attack — Megalodon Hits over 5,000 Repos with Malware-Laden Commits

The Megalodon campaign marks a significant escalation in open‑source supply‑chain threats. By masquerading as an automated build bot, the actors inject malicious code directly into pull requests, allowing the malware to harvest a wide array of credentials from continuous‑integration pipelines. Unlike traditional ransomware, this infostealer focuses on exfiltrating cloud access tokens, SSH keys, and container orchestration configurations, giving adversaries the ability to spin up unauthorized workloads, siphon data, or pivot within victim environments.

The impact extends beyond the immediate repository owners. When compromised code is published to package registries such as npm, downstream developers unknowingly inherit the backdoor, as demonstrated by the Tiledesk incident where several versions were released with the hidden payload. This chain reaction can affect thousands of applications that depend on the polluted package, amplifying the attack surface across the JavaScript ecosystem and potentially compromising end‑user systems.

Megalodon’s emergence signals a broader trend of opportunistic actors copying playbooks from notorious groups like TeamPCP. Organizations must reinforce their DevSecOps practices: enforce strict code‑review policies, require signed commits, and continuously scan dependencies for anomalous behavior. Automated secret‑detection tools and real‑time monitoring of CI/CD workflows are essential to detect and quarantine malicious commits before they propagate, safeguarding both the integrity of open‑source projects and the security of the cloud services they rely on.