5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours

A campaign dubbed “Megalodon” automated thousands of fake code updates across ~5,561 GitHub repositories in a short window, adding malicious GitHub Actions workflows and replacing system files to install a dormant backdoor. The backdoor decodes and runs a background program that harvests cloud credentials (AWS, GCP, Azure), system logs, and secret tokens, exfiltrating data to C2 at 216.126.225.129:8443; infected npm packages from Tiledesk were published publicly, demonstrating active exploitation and supply-chain impact.