Five thousand five hundred sixty-one repositories. That’s how many GitHub projects got infected, according to a fresh Security Week report. The culprit is Megalodon.
It’s not a fish. It’s a supply chain attack that hit on May 18. SafeDep researchers laid out the details. The bad actors didn’t sneak in quietly. They used throwaway accounts. Forged identities. Names like build-bot or pipeline-bot. Trustworthy names for untrustworthy work.
In just six hours, an automated campaign pushed 5,71 malicious commits. That’s a lot of changes to make when nobody is looking.
The goal? Steal secrets.
CI secrets. Cloud credentials. SSH keys. OIDC tokens. Source code. The malware injected base64-encoded bash scripts directly into GitHub Actions workflows. Every time a pipeline ran, it dumped user data to a command and control server at 216.126.l225.12.l:8443.
StepSecurity called it what it is.
“Megalodon is a textbook direct Poison Pipeline Execution (d-PPE attack. A class of CI/CD exploit where someone with write access injects bad code directly into workflow files. The CI system then runs those commands like a good little worker.
Did it really have to happen this fast? Probably. Automated campaigns don’t wait. They just execute.
SafeDep warns everyone involved to revert their repos immediately. Audit every workflow file. Check the history. Look for the fake bot authors. It might be too late for some.
GitHub posted something on May 20 about an employee device getting compromised. That story has a headline. The Megalodon attack does not. At least, not from GitHub yet.
Silence isn’t always an apology. Sometimes it’s just noise. You might want to check your own dependencies before you push another commit.
