Skip to content

Automated Attack Campaign Injects Over 5,700 Malicious Commits into GitHub

The Bottom Line: An automated attack campaign compromised thousands of GitHub repositories through malicious commits in development processes, targeting the software supply chain rather than production vulnerabilities.

On May 18, 2026, attackers infiltrated 5,718 malicious commits into 5,561 GitHub repositories within six hours via compromised developer accounts. The “Megalodon” campaign, discovered by SafeDep, deliberately targets the software supply chain – not individual vulnerabilities in production systems.

The automated attack operation planted two types of malicious code: an offensive workflow that executes on every code push, and a covert one that embeds itself as a dormant backdoor. Notably, the obfuscation tactic left no visible CI executions, failed builds, or suspicious entries in the action history. SafeDep uncovered the campaign, while an independent analysis by OX Security confirmed the discovery and identified over 3,500 affected repositories with identical YAML configurations.

The extracted malicious logic systematically targeted high-value access: AWS keys, Google Cloud and Azure tokens, SSH keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and GitHub Actions tokens. The arsenal comprised more than 30 additional secret patterns. For a CISO, Megalodon represents a fundamental shift in the attack surface: the focus is no longer on individual vulnerabilities in production environments, but on the processes that build and deliver software – repositories, build processes, automated tests, release pipelines, and cloud deployments.

The technical sophistication lies in disguising malicious changes as routine adjustments to automated development processes. For many organizations, this is particularly dangerous because such changes appear normal – like process maintenance, an adaptation to build logic, or a minor intervention in automations that are constantly changing anyway. Megalodon does not merely attack code, but the trust in processes themselves.

The central consequence for CISO responsibility: trust is an attack surface. Those who want to operate software securely must take the digital supply chain just as seriously as the production environment. Security leaders must know where trust is technically enforced and how it can be exploited. This can be safeguarded through threat intelligence – not through reactive controls alone, but through proactive knowledge of attacker methods. Organizations that continuously align their manufacturing processes with current threat intelligence prevent incidents or limit their impact early enough that the supply chain remains intact.


Source: www.it-daily.net · Published July 9, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: