A new report in Security Week warns about a cyberattack that infected 5,561 GitHub open-source repositories with malware.
Cybersecurity researchers at SafeDep detailed how the May 18 supply chain attack, dubbed Megalodon, took advantage of GitHub Actions workflows to ultimately harvest user credentials and other data. A full list of the compromised GitHub repositories is available in the SafeDep security report.
The report also details how the hackers pulled off the attack:
On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225.129:8443.
A blog post at StepSecurity also documented the details of the attack.
