Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Source: The Hacker News — 22 May 2026

What we are tracking

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. "Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI

RingSafe analysis

Megalodon is the most aggressive supply-chain CI/CD campaign of 2026 to date — 5,561 repositories compromised inside six hours via throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot). For Indian product engineering teams and IT-services firms managing client repositories, the immediate question is binary: would a malicious pull request from a fork trigger your default GitHub Actions workflow and exfiltrate organisational secrets? If yes, you are in the blast radius. Action this week: enforce GitHub branch-protection rules that require approval for workflows triggered from forks (pull_request_target is the dangerous trigger to audit), rotate any organisation-level Actions secrets exposed in the last 30 days, and enable secret-scanning Push Protection at the org level. Map to MITRE ATT&CK T1195.002 (Software Supply Chain Compromise), T1078.004 (Cloud Accounts), and OWASP Top 10 for CI/CD #1 (Insufficient Flow Control Mechanisms).

Read the original report

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows → at The Hacker News