Security researchers uncovered one of the largest automated attacks on open source infrastructure in recent memory. On May 18, 2026, an operation called Megalodon flooded GitHub with thousands of malicious commits. The targets? More than 5,500 public repositories. The method? Forged bot accounts slipping poisoned GitHub Actions workflows into legitimate projects.
The numbers tell a story of speed and scale. Between 11:36 a.m. and 5:48 p.m. UTC, attackers pushed 5,718 commits across 5,561 distinct repositories. They acted in a tight six-hour window. SafeDep first documented the campaign after its Malysis scanner flagged hidden scripts inside what looked like routine maintenance files. The firm published a full list of affected repositories along with technical analysis that other teams quickly verified.
But how did it happen so fast? Attackers relied on throwaway GitHub accounts with randomized eight-character usernames. They forged author identities. Names like build-bot, auto-ci, ci-bot and pipeline-bot appeared in commit metadata. These mimicked the automated tools developers trust. Some accounts used compromised personal access tokens or deploy keys stolen earlier. Others simply created fresh profiles. The commits carried deceptive messages that blended with normal CI activity.
Two distinct techniques emerged. The first, labeled SysDiag, added a new file named .github/workflows/ci.yml. It triggered on every push or pull_request_target event. The second, Optimize-Build, proved more cunning. It replaced or modified existing workflow files and set the trigger to workflow_dispatch. That choice kept the backdoor dormant until activated through the GitHub API or a stolen token. Both variants hid their true purpose behind base64-encoded bash scripts. Once decoded, the payload stretched 111 lines. It collected data aggressively.
What did the malware steal? Almost everything a CI runner could touch. Environment variables. Files from /proc/*/environ and PID 1. Cloud credentials from AWS, Google Cloud and Azure, including instance metadata queries. SSH private keys. Docker and Kubernetes configurations. npm and PyPI tokens. Vault secrets. Terraform state. Shell command history. Over 30 regular expressions hunted for API keys, database strings, JWTs, PEM files and .env contents. The script even grabbed the GITHUB_TOKEN and OpenID Connect tokens that grant temporary but powerful access. All of it funneled to a command-and-control server at 216.126.225.129:8443. The exfiltration used POST requests with custom headers, truncated files larger than 5MB, added random sleep delays to avoid detection. One parameter in the traffic read “megalodon.”
OX Security confirmed the scope days later. Its researchers counted more than 3,500 repositories already carrying the infected YAML files. The number kept climbing. Lead researcher Moshe Siman Tov Bustan described the attack in stark terms. “We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What’s coming next is an endless wave,” he wrote in an analysis published May 21. The firm noted similarities to earlier TeamPCP operations. Those included fake commit dates. One variant here used September 17, 2001. Another echoed a January 2099 timestamp seen before.
Recent reporting ties the campaign directly to credentials harvested by infostealers. Hudson Rock analysis showed that roughly one-third of the unique usernames matched known victims of such malware. Compromised developer machines provided the initial access. From there, attackers moved to GitHub. They injected workflows that would run in cloud CI environments. If maintainers merged the changes, the damage spread. The pipeline executed the payload. Secrets leaked. And the attacker gained fresh footholds to target downstream projects or private repositories linked to the same accounts.
This incident follows closely on the heels of TeamPCP’s breach of GitHub itself. In mid-May, the group used a poisoned VS Code extension to access roughly 3,800 internal repositories belonging to the company. GitHub disclosed the unauthorized access on May 20 but has remained silent on Megalodon so far. The pattern feels familiar. Financial motives drive much of the activity. Some operations carry geopolitical fingerprints, including wipers aimed at targets in Iran and Israel. Yet the Megalodon campaign stands out for its pure automation and focus on CI/CD infrastructure.
SecurityWeek reported the latest tally at over 5,500 repositories affected. Its coverage highlighted the credential-stealing payload and warned that the attack continues to expand. The Hacker News added granular detail on the data types exfiltrated and noted the rotation of four author names and seven commit messages for operational security. Researchers emphasized one point repeatedly. Many repositories remain vulnerable because branch protections are weak or nonexistent on default branches where these commits landed.
Developers face hard choices now. Reverting commits offers one path. Auditing every workflow file for suspicious base64 strings or unexpected .github directory changes becomes mandatory. Rotating all credentials exposed in CI runners follows immediately. Blocking the known C2 IP buys time. Yet the underlying problem persists. GitHub Actions runs with broad permissions by default in many projects. OIDC federation reduces long-lived secrets but introduces new trust relationships that attackers can abuse once inside the pipeline.
StepSecurity described Megalodon as a textbook case of direct Poisoned Pipeline Execution. The firm’s blog, referenced across multiple outlets, stressed that adversaries with write access can inject code straight into workflow definitions. Execution happens on the next run. No user interaction required beyond a merge. That simplicity explains the speed.
And the impact reaches far beyond the 5,500 public repositories. Private repos linked to the same maintainer accounts sit at risk. Organizations pulling dependencies or using shared CI configurations could inherit the compromise downstream. Cloud environments tied to leaked keys face direct exposure. The attack doesn’t just steal code. It hands attackers live access to production infrastructure.
GitHub has published guidance on securing Actions workflows. One post from April outlined steps to tighten permissions, pin dependencies, and review third-party actions. Those recommendations now read like a checklist written in anticipation of exactly this scenario. Whether the company will take more aggressive steps, such as automated scanning of incoming commits or stricter defaults on public repositories, remains unclear.
Researchers warn the wave has only started. OX Security’s Bustan called for treating malicious code with the same urgency social media platforms apply to harmful content. Flag it. Remove it before users see it. “This isn’t something that’s going to stop soon unless companies like npm and GitHub take serious action,” he added. Similar sentiments appear in coverage from Cybernews and The Register, which described the campaign as predatory and aggressive.
So what should security teams do today? Scan repositories for the telltale Base64 prefix Q0I9Imh0dHA6Ly8yMTYu. Review recent commits from unfamiliar bot accounts. Enforce required reviews on all branches. Adopt least-privilege principles for workflows. Monitor for unexpected workflow_dispatch triggers. Rotate secrets aggressively when exposure is suspected. And treat every merge from an automated-looking account with fresh skepticism.
The Megalodon campaign reveals how fragile the open source supply chain has become. Developers ship code at high velocity. Automation handles builds and deployments. Attackers simply joined the assembly line. They didn’t need zero-days or sophisticated exploits. Just stolen credentials, a bit of social engineering on commit metadata, and knowledge of how GitHub Actions actually works. The result was thousands of backdoors planted in hours.
Future incidents will likely grow more sophisticated. Dormant payloads that activate only under specific conditions. Self-propagating workflows that compromise additional repositories without human merges. Integration with infostealer campaigns to create continuous credential pipelines. The infrastructure for these attacks already exists. The question is how quickly defenders can adapt.
For now, the compromised repositories stand as a warning. Open source powers much of modern software. When its foundations are poisoned at this scale, the ripple effects touch every company that depends on it. Megalodon didn’t just steal secrets. It demonstrated how easily the entire pipeline can be turned against its users.
WebProNews is an iEntry Publication