Megalodon malware hits 5,500+ GitHub repos in 6 hours

What happened

Megalodon malware executed a massive *supply chain attack* (an attack where malicious code is injected into software repositories that other developers trust and use) against GitHub. In just 6 hours, the campaign silently pushed thousands of malicious commits to more than 5,500 repositories. The goal: developer credentials, API keys, environment variables, SSH keys, and any secrets accessible in the workspace.

The speed and volume rule out manual execution. The campaign used full automation — likely through compromised GitHub accounts or stolen PATs (Personal Access Tokens — programmatic GitHub access keys) to authenticate and push commits without triggering immediate alerts. Once malicious code lands in a repo, any developer who clones, installs, or runs that code exposes their environment.

Why it matters

5,500 repositories in 6 hours redefines what an at-scale attack looks like. Most security teams have no real-time visibility into new commits across their repos — especially in larger organizations with hundreds of active repositories.

The real impact has three layers:

Layer 1 — Directly compromised repos: Malicious code lives in the main branch. Any consumer of the repo becomes a propagation vector.

Layer 2 — Exfiltrated secrets: Stolen API keys and tokens don't expire on their own. An AWS token with `AdministratorAccess` can be used to escalate privileges, pivot to other systems, or spin up infrastructure under the victim's name weeks after the initial breach.

Layer 3 — Transitive dependencies: If any of the 5,500 infected repos is a dependency of your project, the risk reaches you without you having touched anything directly.

Software supply chain security remains one of the least-monitored attack surfaces in real development environments.

What to do

• Audit commits from the last 7 days across all your GitHub repos: look for commits from unrecognized accounts, changes to `.github/workflows/`, `package.json`, or any sensitive config files.
• Rotate all active tokens immediately: GitHub PATs, AWS access keys, GCP service accounts, and any API key with write access or elevated privileges.
• Enable GitHub secret scanning with push protection: blocks any push containing a known secret at the source. Free for public repos, available on paid plans for private ones.
• Audit your GitHub Actions: a compromised workflow can use `GITHUB_TOKEN` to pivot laterally within your organization.
• Enforce mandatory 2FA for all collaborators across your GitHub organizations — no exceptions.

The pattern here — mass automation, hours-long execution window, focus on high-value secrets — mirrors the playbook from PyPI and npm supply chain attacks of 2023-2024. Megalodon scales that model directly to the repo layer. If you don't have alerts on external commits to your critical repos, you need them today.