Megalodon GitHub supply chain attack compromising thousands of repositories through malicious CI/CD workflows and credential theft

A massive GitHub supply chain attack named Megalodon compromised more than 5,500 repositories in under six hours by injecting malicious CI/CD workflows into GitHub Actions pipelines. Attackers used fake automated bot accounts and disguised commits to silently deploy credential-stealing backdoors.

Megalodon GitHub supply chain attack compromising thousands of repositories through malicious CI/CD workflows and credential theftMegalodon GitHub supply chain attack compromising thousands of repositories through malicious CI/CD workflows and credential theft

The malware harvested AWS, Azure, GCP, SSH, Docker, Kubernetes, npm, and GitHub credentials while abusing OIDC tokens for cloud identity impersonation. One of the most serious downstream impacts involved the compromise of the Tiledesk repository, where poisoned workflows were later propagated to npm package releases.

Security experts recommend immediately auditing GitHub workflow files, rotating exposed secrets, reviewing suspicious workflow executions, and pinning GitHub Actions to specific commit SHAs. NPAV DLP solutions help organizations detect malicious CI/CD activity, block suspicious connections, and prevent credential theft from supply chain attacks.


Data Loss Prevention (DLP) – Prevents leakage of cloud tokens, API keys, SSH keys, and sensitive credentials.