What Actually Happened on May 18

Picture this: in just over six hours, somebody managed to slip malicious code into more than five thousand GitHub repositories. Not slowly. Not stealthily over weeks. Six hours.

Between 11:36 and 17:48 UTC on May 18, 2026, the campaign now being called Megalodon pushed 5,718 malicious commits into 5,561 separate repositories. The cybersecurity firm SafeDep caught it using its Malysis scanning tool, and the scale alone makes this one of the most aggressive GitHub Actions poisoning runs anyone's seen.

The attackers weren't subtle, but they were clever. They spun up throwaway accounts with randomized eight-character usernames and forged commit metadata to look like routine CI maintenance bots. Think names like "build-bot," "ci-bot," and "pipeline-bot," paired with spoofed noreply.dev email addresses. The kind of thing your eyes glaze over when you're scrolling through a commit history.

How the Attackers Slipped Past Defenses

Here's the part that stings if you maintain repos: this only worked because so many projects had weak branch protection. The commits went straight to main or master, no pull requests, no review.

And the commit messages? Boring on purpose. Stuff like "ci: add build optimization step" or "chore: sync ci configuration." The kind of thing that looks like exactly what it claims to be. Nobody's going to flag a "chore" commit at first glance, which is the whole point.

Direct Poisoned Pipeline Execution, Textbook Style

Researchers at StepSecurity tagged Megalodon as a textbook case of direct Poisoned Pipeline Execution, where attackers with write access drop malicious code right into workflow definition files. Once those workflows fire, the trap snaps shut.

The payloads were Base64-encoded bash scripts, which then kicked off a multi-phase data harvest. And the list of what they were after reads like a wish list for anyone trying to take over a cloud environment:

  • AWS secret keys
  • Google Cloud access tokens
  • Azure metadata
  • SSH private keys
  • Docker and Kubernetes configurations
  • Vault tokens
  • Terraform credentials
  • GitHub Actions OIDC tokens

On top of that, the payload scanned source code for more than 30 sensitive regex patterns, hunting for things like Stripe keys, database connection strings, and JWTs. Everything got shipped off to a command-and-control server.

Why the OIDC Token Theft Is the Scariest Part

Look, leaked credentials are bad. We all know this. But the OIDC token piece is where Megalodon goes from "ugly" to "really, really ugly."

By stealing the Actions ID token request URL, attackers can mint short-lived tokens that let them impersonate CI/CD pipelines in AWS, GCP, or Azure environments. Think about what that means. They don't just steal a static key sitting in some env file. They get the ability to walk into your cloud environment as if they were your own deployment pipeline. That's a different kind of access entirely.

A Second GitHub Breach Surfaces a Day Later

As if Megalodon wasn't enough, GitHub confirmed a separate breach the day after. The group TeamPCP got into roughly 3,800 internal GitHub repositories after a company employee installed a poisoned Visual Studio Code extension.

GitHub said the activity "involved exfiltration of GitHub-internal repositories only" and that the attacker's claims were "directionally consistent" with what its investigators were finding. The company also said there's no evidence customer data stored outside its internal repositories was hit.

GitHub posted the incident on X and described what you'd hope to see in this situation: log analysis, secret rotation, and monitoring for follow-on activity.

Why the TeamPCP Connection Matters

This is where things get nervy. Security firm Varonis warned that TeamPCP "has historically used initial footholds to seed second-stage supply-chain attacks against downstream consumers." Translation: getting into GitHub's internal repos isn't necessarily the endgame. It might just be the setup.

If you're the kind of person who depends on GitHub-hosted tooling, which is, you know, most of us, that's not a great sentence to read.

What This Means for Anyone Shipping Code Right Now

Honestly, the takeaway here isn't complicated, even if the attack itself was. If your branch protection rules are loose, you're a target. If you're not watching commits to main from accounts you don't recognize, you're a target. If your CI/CD workflows have access to secrets they don't strictly need, you've got more exposure than you should.

Megalodon worked because thousands of projects let it work. The attackers didn't break GitHub. They walked through doors that were already unlocked.

Questions People Are Asking About Megalodon

How many repositories were affected by the Megalodon attack?

The campaign pushed 5,718 malicious commits across 5,561 GitHub repositories during the six-hour window on May 18, 2026.

What kinds of credentials did Megalodon try to steal?

The Base64-encoded bash payloads targeted AWS secret keys, Google Cloud access tokens, Azure metadata, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and GitHub Actions OIDC tokens. It also scanned source code for more than 30 sensitive regex patterns, including Stripe keys, database connection strings, and JWTs.

Is the Megalodon attack connected to the GitHub internal breach?

They're being treated as separate incidents. Megalodon hit public repositories through a Poisoned Pipeline Execution approach, while the GitHub internal breach was carried out by TeamPCP through a poisoned VS Code extension installed by an employee, exposing roughly 3,800 internal repositories.