THE article discusses a significant supply chain attack named 'Megalodon', which infected over 5,500 GitHub repositories through automated commits. Introduced on May 18, 2026, the attack involved 5,700 malicious commits that added or altered GitHub Actions workflows, enabling malware to exfiltrate sensitive data such as credentials and tokens from affected repositories.
Discovered after compromised packages of the Tiledesk platform were published, the attack used GitHub workflows exempt from recursion rules, allowing dormant backdoors that could be activated later. The cybersecurity firm SafeDep highlights the inadequacy of current vetting processes for uploaded code and warns of an escalating wave of supply chain attacks. NPM has attempted to mitigate risks by invalidating access tokens, but underlying issues remain unresolved.