TL;DR
- Repo Backdoor: Attackers have infected 5,561 GitHub repositories through poisoned GitHub Actions workflows
- Trigger Path: GitHub’s manual and API workflow exceptions help explain how stolen credentials could reactivate dormant backdoors after the first malicious commit.
- Cleanup Gap: Package removals and token resets help, but maintainers may still need workflow audits, commit reviews, and credential rotation.
Attackers have launched Megalodon as a GitHub Actions backdoor campaign, infecting 5,561 GitHub repositories and exposing CI data that could reach cloud, deployment, and package-publishing systems beyond the original repos.
Within six hours, the attackers have pushed 5,718 malicious commits, turning what could look like an isolated repository breach into a broad automation problem for maintainers who trust GitHub Actions to build and ship software.
Megalodon instead appears to have moved through poisoned source trees, workflow abuse, and credential theft rather than a hijacked npm account.
“The attacker never touched the NPM account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it.”
SafeDep, a cybersecurity firm (via SafeDep)
Because GitHub Actions often sits between source code and production infrastructure, a poisoned workflow can move from a repository compromise into package publishing, cloud access, internal services, and any self-hosted runner that trusts the same job chain.
Planted workflows may have stolen credentials and tokens from affected build environments, alongside keys and other secrets that could open deployment pipelines and connected cloud services. Maintainers now need to inspect workflow files, commit history, runner secrets, deployment logs, and package-publishing paths instead of treating the incident as a single account reset.
How the Workflow Backdoor Spread
One payload appears to have added workflows on pushes and pull requests, while another replaced existing workflows with dormant backdoors that could wait for a later run. Together, those paths gave attackers both immediate execution and a quieter persistence route inside repositories that already relied on automation.
GitHub’s workflow_dispatch exception helps explain why the second path matters. Under that rule, a workflow can start manually or through the API even though many events fired by GITHUB_TOKEN do not automatically create another run.
GitHub’s workflow_dispatch and repository_dispatch exceptions can still create new runs.
When one workflow intentionally starts another, a personal access token or GitHub App token can also be used. In practice, that means stolen credentials may let attackers wake a poisoned workflow after the first malicious commit lands.
Cybersecurity firm OX Security found more than 3,500 repositories carrying the same infected YAML pattern while the campaign was still unfolding. OX Security’s lower parallel count does not replace SafeDep’s larger figure, but it does show a second security firm was seeing the same workflow abuse spread across GitHub.
Malware in the campaign also targeted AWS, Slack, GitHub, PyPI, and npm secrets before sending stolen data to an attacker-controlled server. For non-specialists, that turns the incident from a source-code story into an infrastructure one because those secrets can connect automated builds to cloud accounts, internal services, and software release channels.
The attackers also used a hardcoded September 17, 2001 commit date and fake bot identities to make workflow edits look less suspicious in repository history. OX Security warned that without stronger code-vetting controls, “the number of attacks will only increase”.
Why Token Resets Do Not Close the Gap
Microsoft’s response to the Mini Shai-Hulud campaign shows what package and account cleanup can do quickly. In that case GitHub removed 640 malicious packages.
GitHub also invalidated 61,274 npm granular access tokens with write permission and two-factor bypass. Megalodon points to a different failure point: the repository and its workflow logic.
SafeDep identified malicious Tiledesk package versions published between May 19 and May 21 after the repository compromise was already underway, which means poisoned source code may already have reached package users before maintainers realized the repository had changed.
Regarding the the Mini Shai-Hulud campaign, Microsoft recommended rotating credentials that may have been exposed in affected build environments. Even with that guidance, Megalodon still leaves teams with a larger verification job because rotating tokens alone does not prove that hidden workflows, altered commits, or self-hosted runner footholds are gone.
Earlier GitHub Actions breaches showed the same trusted CI path being turned into a delivery route for secret theft and malware. Previously a Trivy project breach pushed infostealer code through GitHub Actions. In 2025, a GitHub Actions secret exposure hit hundreds of repositories.
A direct GitHub or npm confirmation could still narrow the incident’s scope. Until then, maintainers may need to treat repository integrity, workflow review, and secret rotation as one cleanup track rather than three separate ones.
