LOWSupply Chain
Global

Automated 'Megalodon' Campaign Spreads GitHub Repo Backdoors

·Source: Bank Info Security

Updated:

Executive Summary

Supply-Chain Attack Uses Malicious GitHub Actions Workflow File to Steal Secrets More than 5,000 GitHub repositories fell victim to an automated campaign, codenamed "Megalodon," in which an attacker injected malicio

Analysis

Supply-Chain Attack Uses Malicious GitHub Actions Workflow File to Steal Secrets More than 5,000 GitHub repositories fell victim to an automated campaign, codenamed "Megalodon," in which an attacker injected malicious GitHub Actions that executed a script designed to steal development environment secrets, plus a variety of keys, tokens and other credentials, researchers said.

Indicators of Compromise (2)

URL (1)
https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/automated-megalodon-campaign-spreads-github-repo-backdoors-image_small-9-a-31772.jpg
VirusTotalURLhaus
Domain (1)
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
VirusTotalURLhaus
Source Attribution

Originally published by Bank Info Security on May 26, 2026.

Related Threats

HIGHSupply Chain

Infected Red Hat npm packages expose developer credentials

Developers who pulled packages from Red Hat’s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead. Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments. The campai

CSO Online
MEDIUMSupply Chain

Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets

Attackers backdoored 32 packages in Red Hat's official npm scope to steal cloud and CI secrets

Infosecurity Magazine
HIGHSupply Chain

Attack targeting OpenAI Codex users exposes AI software supply chain risks

A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project’s public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an

CSO Online