Megalodon GitHub CI/CD supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The Megalodon campaign pushed 5,718 malicious commits into 5,561 GitHub repositories in about six hours, creating a broad CI/CD secret-theft risk across developer projects. Attackers used throwaway accounts and forged CI-style author identities to hide malicious GitHub Actions workflows inside ordinary-looking commits. Once merged, the workflows executed in pipelines and exfiltrated cloud credentials, SSH keys, OIDC tokens, and source-code secrets to a remote C2 server. The scale and automation make many repositories repeatable secret-harvesting targets.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
Vulnerability
H score32
First: 24.06.2026 15:48
Last: 24.06.2026 15:48
Sources 1
About this happening:
**Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
VulnerabilityAbout this happening: **Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
Timeline
-
22.05.2026 14:55 2 articles · 1mo ago
Initial report: Megalodon GitHub CI/CD supply-chain campaign
Initial DisclosureThe first phase focused on slipping malicious commits into repositories under forged CI-style identities. Those commits planted GitHub Actions workflows that could execute after merge and immediately start harvesting credentials from build environments.
Show sources
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55