Researchers uncovered Megalodon, an automated supply-chain campaign that injected malicious GitHub Actions workflows into thousands of repositories to steal CI secrets, cloud credentials, SSH keys, and other sensitive data. The report also links related ecosystem abuse to TeamPCP and a set of fake Polymarket npm packages used to steal Ethereum/Polygon private keys. #Megalodon #TeamPCP #GitHubActions #Polymarket
Keypoints
- Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours.
- The payloads used forged CI identities and base64-encoded bash to exfiltrate secrets to a C2 server.
- Two variants were seen: SysDiag for broad execution and Optimize-Build for targeted activation.
- TeamPCP has abused the software supply chain across major ecosystems, including GitHub, TanStack, Grafana Labs, OpenAI, and Mistral AI.
- Fake Polymarket npm packages used postinstall prompts to steal usersβ private keys and send them to an attacker-controlled endpoint.
Read More: https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html