A new malware campaign that hijacks GitHub repositories through malicious automated workflows is threatening open-source projects with a further barrage of supply chain attacks.
-
Massive scale attack The "Megalodon" campaign compromised over 5,000 GitHub repositories in 6 hours by weaponizing automated GitHub Actions workflows that execute when developers push code or merge requests.
-
Cross-platform impact Repository compromises cascaded to npm packages, with poisoned code spreading beyond GitHub. The Tiledesk case showed how one compromised repo led to seven malicious npm versions being published.
-
Persistent security gaps GitHub and npm lack adequate defenses against malicious code. Attackers used fake bot identities to evade detection, while workflow files typically go unreviewed, allowing attacks to succeed repeatedly.
Researchers at open-source security platform SafeDep have dubbed the operation “Megalodon,” after the extinct giant shark, due to the scale of the operation and its ability to stealthily prey on developer infrastructure.
The unprecedented aggressive campaign, which occurred on Sunday, struck over 5,000 repositories in a 6-hour period.
Researchers at Ox Security, which has also been investigating the attack, confirmed that more than 3.500 repositories are already carrying infected files "and the number is rising."
The attack also comes days after GitHub disclosed a breach involving its own internal repositories amid ongoing attacks targeting NPM packages and developer infrastructure.
Why the focus on workflows?
According to SafeDep’s research, attackers focused on modifying GitHub Actions workflows, automated scripts that developers use to build, test, and deploy software.
These CI/CD workflows help developers ship code faster by automatically running tasks whenever code is updated.
Because these pipelines often have access to sensitive credentials and trusted systems, they have become a valuable target for supply-chain attackers.
How the campaign worked
According to the report, the intense and aggressive campaign involved “Mass GitHub repo backdooring” through poisoned workflows capable of exfiltrating secrets, maintaining perspective, and tampering with development pipelines.
The attacker-controlled code was able to execute automatically whenever developers pushed updates, merged pull requests, or triggered releases.
The attackers also reportedly used fake CI bot identities and dormant workflow triggers to maintain access and avoid detection. These were named in the report as:
- build-bot
- auto-ci, ci-bot
- pipeline-bot.
The compromised repos are also listed by SafeDep. Researchers add that the campaign also affected packages tied to Tiledesk – an open-source live chat platform – that were later published to another large software repo, npm, potentially extending the impact beyond GitHub repositories.
“Tiledesk shows how repository compromise cascades to package registries. Seven npm versions carried the backdoor because the maintainer published from a poisoned repo,” the report said.
“Code review would catch this, but nobody reviews workflow files in npm packages,” SafeDep researchers noted.
The attacks have not yet been attributed to a specific threat actor.
“Tiledesk shows how repository compromise cascades to package registries. Code review would catch this, but nobody reviews workflow files in npm packages."
SafeDep researchers
Mitigations include reviewing GitHub Actions workflows, rotating exposed secrets, and limiting workflow permissions.
Open source under attack
The findings are the latest in an escalating series of attacks targeting open-source infrastructure that has seen maintainer accounts hijacked, open-source packages poisoned, and stolen secrets abused to create thousands of malicious GitHub repos.
Earlier this week, GitHub confirmed that attackers gained unauthorized access to its internal repositories after an employee’s device was compromised through a poisoned Visual Studio Code extension.
Threat group TeamPCP later claimed responsibility for the breach and attempted to sell the stolen repository data online.
Strong password generator
The GitHub breach also followed a series of attacks targeting NPM, the world’s largest JavaScript package registry.
Security researchers often describe these types of supply chain attacks as attacking the factory instead of the product.
“A single compromise in developer tooling, CI/CD pipelines, or dependencies can cascade across thousands of organizations,” says Boris Cipot, principal security engineer at Black Duck.
“It also follows a clear pattern we’ve been seeing for months. Threat actors like TeamPCP deliberately target trusted tools, open‑source packages, and developer workflows because they provide indirect access to many downstream environments.”
Ox researchers Moshe Siman Tov Bustan argue that malicious software attacks will continue unless platforms like npm and GitHub adopt much stronger security and moderation practices.
“Malicious code should be treated the way harmful content is treated on social media – flagged, taken seriously, and removed before it ever reaches end users.”
Ox Security
“This week npm put out a statement on their X account saying they “invalidated npm granular access tokens with write access that bypass 2FA.”
“That could help a little with account hijacking, but it doesn’t solve the actual problem. Malicious code is still reaching their servers, and nothing is stopping it before it does.”
“Malicious code should be treated the way harmful content is treated on social media – flagged, taken seriously, and removed before it ever reaches end users.”
Your email address will not be published. Required fields are markedmarked