Mégaldon: the most aggressive attack in GitHub history compromised 5,500+ repos in 6 hours
🔎 GitHub under siege: a week in May 2026 that changes everything
On May 18, 2026, a Monday like any other, GitHub suffered the most brutal supply chain attack in its history. In just six hours, 5,561 repositories were infected by malicious CI/CD workflows. The codename: Megalodon.
Two days later, on May 20, GitHub confirmed a second breach — 3,800 internal repos stolen via a malicious VS Code extension. Two different attacks, same week, same target: the developer supply chain.
This is not an accident. It is a paradigm shift. Attackers are no longer targeting servers. They are targeting the tools developers use every day — GitHub Actions, editor extensions, CI/CD pipelines. And automation makes these campaigns terrifyingly effective.
The essentials
- Megalodon injected 5,718 malicious commits into 5,561 GitHub repos in 6 hours on May 18, 2026, according to SafeDep researchers.
- The attack used fake CI identities (build-bot, ci-bot, pipeline-bot) to pass off malicious commits as automated maintenance.
- Goal: theft of cloud secrets, access tokens, and developer credentials via hijacked GitHub Actions workflows.
- In the same week, a second breach compromised 3,800 internal GitHub repos via the poisoned Nx Console v18.95.0 extension, which remained for 11 minutes on VS Marketplace according to Dataconomy.
- These two attacks illustrate a trend: CI/CD pipelines and extension ecosystems have become the preferred attack vectors in 2026.
Recommended tools
| Outil | Main usage | Price (May 2026, check on site.com) | Ideal for |
|---|---|---|---|
| Hostinger | Secure hosting for web projects | From 2.99 €/month | Isolated deployment of critical projects |
| SafeDep | Supply chain analysis and malware detection | Free (open source) | Dependency audits and CI workflows |
| GitHub Advanced Security | Secret scanning, dependabot, code scanning | Included in Enterprise, paid for Teams | Teams with public and private repos |
Anatomy of Megalodon: how 5,500 repos fell in 6 hours
Megalodon is not a sophisticated attack in its principle. It is a brute force attack, automated to the extreme, that exploits a fundamental flaw in the GitHub ecosystem: blind trust in CI/CD commits.
SafeDep researchers traced the entire attack chain according to CyberAttaque. Everything unfolded in six hours. 5,718 commits pushed. 5,561 repos affected. A rate of nearly 16 commits per minute.
The technique: impersonating a CI bot
The core trick of Megalodon relies on the impersonation of CI/CD bots. The attacker created GitHub accounts with explicit names: build-bot, auto-ci, ci-bot, pipeline-bot.
These accounts used email addresses like [email protected] or [email protected]. The goal was clear: to mimic the automated identities found in any project using GitHub Actions or Travis CI.
When a maintainer sees a commit from "ci-bot" with a message like "Update CI workflow" or "Fix pipeline configuration", they don't get alarmed. That is exactly what Megalodon was exploiting.
The payload: booby-trapped GitHub Actions workflows
The injected commits contained modified YAML files in the .github/workflows/ directory. These modified workflows included additional steps designed to exfiltrate secrets.
According to the analysis by The Hacker News on similar attacks targeting GitHub Actions, the technique generally consists of adding a step that reads the CI runner's environment variables and sends them to an attacker-controlled server.
GitHub Actions automatically exposes the secrets configured in the repository settings as environment variables. A malicious workflow simply has to read them and post them somewhere. It is as simple as it is dangerous.
The scale: why so fast
What sets Megalodon apart from previous supply chain attacks is the scale. 5,561 repos in 6 hours is not manual work. Researchers from Martin Cid point out that the attack was fully automated.
The attacker likely used scripts to identify vulnerable repos (with open write permissions, modifiable existing CI/CD workflows), then massively pushed the commits via the GitHub API.
This automation echoes what is observed in generative AI attacks. Tools like DeepSeek-TUI show how code agents can manipulate repos at high speed. The same principle, inverted: instead of coding, malicious code is injected.
The VS Code breach: 3,800 internal GitHub repos stolen in the same week
While Megalodon targeted public repos, the second breach of the week struck closer to GitHub's core. On May 20, 2026, GitHub confirmed that 3,800 internal repos had been compromised.
The origin: an employee device infected via a malicious VS Code extension, as detailed by Dataconomy.
Nx Console v18.95.0: 11 minutes is all it takes
The TeamPCP group published the Nx Console v18.95.0 extension on the VS Code Marketplace on May 18, 2026. According to AwesomeAgents, it remained online for only 11 minutes before being taken down. On Open VSX, the alternative registry, it remained for 36 minutes.
Eleven minutes. That's all the time it took to compromise a GitHub employee and, by extension, gain access to 3,800 internal repos containing proprietary code, keys, and tokens.
The pirated extension contained a payload that stole GitHub tokens, SSH keys, and cloud credentials stored on the victim's machine. Once the GitHub token was retrieved, the attacker had access to everything the employee could see.
The fundamental difference with Megalodon
Megalodon was a massive, automated external attack targeting thousands of public repos. The VS Code breach was a targeted, surgical attack aiming for a single entry point to reach GitHub's own internal repos.
Two different vectors. Same lesson: the developer toolchain is the weak link. Multi-agent orchestration platforms like Ruflo clearly illustrate the growing complexity of developer toolchains — and the more components there are, the wider the attack surface expands.
GitHub Actions as an attack vector: a structural trend
Megalodon is not an isolated case. It is the culmination of a trend that has been accelerating since 2025: supply chain attacks specifically targeting GitHub Actions.
Past incidents: Shai Hulud v2, GhostAction, tj-actions
Stéphane Robert's blog documents several supply chain attacks on GitHub Actions between 2025 and 2026:
- Shai Hulud v2: malicious code injection into popular actions by modifying tags to point to corrupted commits.
- GhostAction: creation of ghost GitHub Actions mimicking legitimate actions, with similar names to trap inattentive maintainers.
- tj-actions: compromise of a widely used third-party action, affecting thousands of repositories in cascade.
- hackerbot-claw: tag hijacking technique to redirect to a commit controlled by the attacker.
The hijacked tag technique
The Hacker News describes a particularly insidious method: an attacker forks a repository containing a GitHub Action, modifies the code in a branch, then pushes a tag pointing to this malicious commit. Repositories that reference the action by its tag (and not by a commit hash) then execute the malicious code without any warning.
This is exactly the type of technique that Megalodon scaled up. The attack did not innovate on a technical level. It innovated in terms of scale and speed.
Why GitHub Actions is so vulnerable
GitHub Actions presents several structural flaws. Workflows execute with the repository's secrets. Third-party actions are referenced by modifiable tags. The reviewing of changes in .github/workflows/ is often neglected by maintainers.
Add to this the fact that most open source projects accept external contributions with broad write permissions, and you get an ideal playground for attacks like Megalodon.
The role of AI automation in accelerating attacks
One of the most concerning aspects of Megalodon is its pace. 5,718 commits in 6 hours. This implies advanced automation, likely assisted by language models.
LLM-powered malicious agents
Current agentic models like GPT-5.5 (agentic score of 98.2 according to June 2025 benchmarks), Claude Opus 4.7 (94.3) or Gemini 3 Pro Deep Think (95.4) are capable of analyzing GitHub repositories, identifying vulnerable CI/CD workflows, and generating targeted payloads autonomously.
There is no evidence that Megalodon directly used these models. But the technical capability exists. An agent based on GPT-5.5 could theoretically: scan repositories via the GitHub API, identify those with modifiable workflows, generate payloads tailored to each CI configuration, and push them automatically.
The speed of the attack is consistent with this scenario. A human alone could not analyze and compromise 16 repositories per minute for 6 hours.
The irony: the tools that protect us can also attack us
The same class of tools that enables the creation of automated security agents also enables the creation of automated attack agents. Models like DeepSeek V4 Pro (88 overall, 84 agentic) or Claude Sonnet 4.6 (83 overall, 81.4 agentic) are accessible via API and can be chained in attack pipelines.
This is a structural problem within the AI ecosystem. The barrier to entry for sophisticated supply chain attacks has never been lower.
Comparison of the two May 2026 attacks
| Criterion | Megalodon | Breach VS Code (TeamPCP) |
|---|---|---|
| Date | May 18, 2026 | May 18-20, 2026 |
| Vector | Injected GitHub Actions workflows | Poisoned VS Code extension |
| Targets | 5,561 public repositories | 3,800 GitHub internal repositories |
| Duration | 6 hours | 11 minutes (presence on marketplace) |
| Method | Automated commits with fake CI identities | Token theft via payload in the extension |
| Stolen items | Cloud secrets, credentials, tokens | GitHub tokens, SSH keys, cloud credentials |
| Discoverer | SafeDep | GitHub (internal) |
| Source | CybersecurityNews | Dataconomy |
Two attacks, two methods, one common conclusion: the developer ecosystem is under pressure like never before.
How to practically protect yourself
Lock down CI/CD workflow permissions
The first measure is also the simplest: restrict who can modify files in .github/workflows/. GitHub allows you to configure branch protection rules that require code reviews for any workflow modifications.
This would not have stopped Megalodon in unprotected repositories, but it would have drastically reduced the attack surface.
Use commit hashes instead of tags
Never reference a GitHub action by a tag (uses: action@v2) but by a commit hash (uses: action@abc123def). Tags are mutable. Commits hashes are not.
This is the direct lesson from the attacks documented by The Hacker News on tag hijacking.
Audit commit identities
Megalodon's commits used identities like [email protected]. A regular audit of commits on your repositories, particularly those modifying CI files, helps detect suspicious patterns.
Tools like GitHub Advanced Security can help, but human vigilance remains irreplaceable for this type of behavioral detection.
Do not blindly trust VS Code extensions
The VS Code breach shows that even 11 minutes of presence on the marketplace is enough. Only install the extensions you need. Check the number of downloads, the author's history, the reviews. And never store credentials in plain text in your local development environment.
For critical projects, consider isolated development environments. Secure hosting with Hostinger featuring separate access and restricted deployments can limit the damage if a development machine is compromised.
Limit the scope of CI secrets
GitHub secrets should only have the strictly necessary permissions. A secret with global access to all repositories in an organization is a potential disaster. Use repository-level secrets, not organization-level ones, unless absolutely necessary.
Why open source is increasingly vulnerable
Open source relies on trust. Maintainers trust contributors. Users trust maintainers. CI/CD tools trust workflows. Every link in this chain of trust is now being targeted.
Maintainer fatigue
Open source maintainers are overwhelmed. They manage dozens, sometimes hundreds, of pull requests. A commit from "ci-bot" that "updates the workflow" isn't going to attract attention in a feed of 50 notifications.
Megalodon exploits exactly this fatigue. The attack doesn't need to be invisible. It just needs to be mundane.
The illusion of security through transparency
Open source is often presented as more secure because the code is public. But transparency is useless if no one reads the code. With 5,718 commits pushed in 6 hours, no one read these changes before they were merged.
Open source security works when there are eyes on the code. Megalodon proved that the eyes-to-changes ratio can be bypassed by speed.
The concentration of risk
The ecosystem is concentrated around a few platforms: GitHub for code, VS Code for editing, npm/PyPI for dependencies. An attack on one of these platforms has a disproportionate impact. This is exactly what we saw in May 2026.
❌ Common mistakes
Mistake 1: Trusting commit identities without verification
A name like "ci-bot" or "pipeline-bot" guarantees nothing. Anyone can configure any name and email in Git. The solution: verify the real GitHub identity behind each commit, especially on CI/CD files.
Mistake 2: Referencing GitHub Actions by tag
uses: action@v3 is vulnerable to tag hijacking. The solution: systematically use commit hashes (uses: action@sha256abc...) and lock them with a dependabot or equivalent tool.
Mistake 3: Giving overly broad permissions to CI secrets
A GitHub secret with access to all repos in an organization is a ticking time bomb. The solution: repository-scoped secrets, with minimal permissions, and regular rotation.
Mistake 4: Ignoring workflow file modifications
Files in .github/workflows/ are among the most sensitive in a repository. The solution: require mandatory code reviews for any changes to these files via branch protection rules.
Mistake 5: Installing VS Code extensions without checking
The breach of 3,800 internal GitHub repos shows that 11 minutes is enough. The solution: verify the author, version history, reviews, and avoid recently published or suspiciously updated extensions.
❓ Frequently Asked Questions
What exactly is the Megalodon attack?
An automated supply chain campaign that injected malicious GitHub Actions workflows into 5,561 repositories on May 18, 2026, in 6 hours, stealing cloud secrets and credentials via fake CI commits.
Who is behind Megalodon?
The attacker's identity is not publicly known. SafeDep researchers traced the attack but did not attribute it to any specific group or individual.
Was my repository affected by Megalodon?
Check your commit history from May 18, 2026. Look for commits from users like build-bot, ci-bot, auto-ci, or pipeline-bot modifying files in .github/workflows/. If you find anything, immediately revoke all your GitHub secrets.
What is the connection between Megalodon and the VS Code breach?
No direct technical link. However, both attacks occurred within the same 48-hour window, both targeting the developer toolchain (GitHub Actions on one side, VS Code on the other), illustrating a convergence of supply chain attacks.
Were AI models used in Megalodon?
No formal evidence. But the pace of the attack (16 commits/minute for 6 hours) is consistent with LLM-assisted automation, a capability that exists with current agentic models like GPT-5.5 or Claude Opus 4.7.
Is GitHub Actions still safe after this attack?
GitHub Actions remains a powerful tool, but its security depends entirely on the repository's configuration. With appropriate protections (commit hashes, branch protection, secret scoping), the risk is reduced but not eliminated.
✅ Conclusion
May 2026 will go down as the month the developer ecosystem lost its innocence. Megalodon proved that a supply chain attack can compromise 5,500 repositories before the community even reacts. The VS Code breach from the same week proved that even GitHub itself is not immune. Blind trust in development tools is over — it is time to replace it with systematic verification.