Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Researchers disclosed "Megalodon", an automated supply-chain campaign that pushed 5,718 malicious commits to 5,561 GitHub repositories on May 18, 2026, injecting GitHub Actions workflows with base64-encoded bash payloads that steal CI environment variables, cloud credentials, SSH keys, OIDC/GitHub tokens, and other secrets and exfiltrate them to a C2 at 216.126.225.129:8443; the campaign includes mass (SysDiag) and targeted (Optimize-Build) variants and is tied to broader TeamPCP activity and malicious npm packages that steal crypto private keys via social-engineered postinstall hooks.