Researchers say the campaign abused compromised access tokens and deploy keys to inject malicious GitHub Actions workflows into thousands of public repositories.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A large-scale automated attack dubbed Megalodon pushed 5,718 malicious commits into 5,561 public GitHub repositories within six hours on May 18, 2026. The campaign abused compromised Personal Access Tokens and deploy keys to inject backdoored GitHub Actions workflows containing base64-encoded bash payloads. These payloads targeted CI secrets including AWS/GCP credentials, SSH keys, Kubernetes configs, GitHub OIDC tokens, and environment variables, exfiltrating them to attacker-controlled infrastructure. The attack used forged bot-like author identities and hardcoded historical commit dates to disguise malicious activity as routine CI/CD maintenance. Researchers from SafeDep and OX Security noted similarities to prior TeamPCP supply chain compromises. IOCs including the C2 IP, commit signatures, and affected repository names have been published.

GitHub Actions abused by Megalodon attack to slip malicious commits into 5,500 repos