The Megalodon attack is a supply chain compromise targeting GitHub repositories by injecting malicious GitHub Actions workflows via automated commits. Over 5,700 commits infected 5,561 repositories in a short time frame, adding or replacing workflows to steal credentials and secrets such as AWS, GCP, Azure credentials, SSH keys, Docker and Kubernetes configs, API keys, and CI/CD tokens. The attack used the 'workflow_dispatch' trigger to create dormant backdoors that can be activated later via the GitHub API, bypassing GitHub's anti-recursion protections. The infection spread through compromised source code published by legitimate maintainers unaware of the malicious changes. The attack highlights risks in automated CI/CD workflows and token permissions but no vendor advisory or patch information is provided.

The attack results in the theft of a broad range of sensitive credentials and secrets from infected repositories, including cloud service credentials, SSH keys, API keys, and CI/CD tokens. This exposure can lead to unauthorized access to cloud environments, source code, and other critical infrastructure components. The widespread infection of over 5,500 repositories increases the potential attack surface for downstream users relying on these repositories. However, no known exploits in the wild or direct evidence of further compromise beyond credential theft are reported in the provided data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should review their GitHub repositories for unauthorized workflow changes, revoke and rotate exposed credentials and tokens, and audit CI/CD pipeline configurations. Since no official fix or patch is indicated, mitigation relies on incident response actions and credential management. Monitoring for suspicious GitHub Actions activity and limiting token permissions can help reduce risk. Vendors and maintainers should verify the integrity of source code and workflows before publishing.