More than 5,500 GitHub repositories were infected with malware on May 18, 2026, in a supply chain attack called Megalodon. Attackers pushed 5,718 malicious commits across a six-hour window using two email addresses, injecting rogue GitHub Actions workflows designed to steal credentials, AWS keys, SSH private keys, API tokens, and dozens of other secrets from CI environments.
The attack was discovered after compromised versions of the Tiledesk npm package were published May 19–21. The maintainer unknowingly published from a poisoned source — the attacker never touched the npm account, only the GitHub repo. A dormant backdoor was also planted, triggerable later via the GitHub API using stolen tokens.
Source: SecurityWeek