HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Megalodon Malware Infects Over 5,500 GitHub Repositories, Harvesting Developer Secrets

In a six‑hour campaign, the Megalodon malware pushed malicious code to more than 5,500 public GitHub repositories, stealing API keys, SSH credentials and other developer secrets. The supply‑chain compromise threatens any organization that consumes affected open‑source components, making credential rotation and secret‑scanning essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 darkreading.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
darkreading.com

Megalodon Malware Infects Over 5,500 GitHub Repositories, Harvesting Developer Secrets

What Happened — In a six‑hour window the Megalodon malware silently pushed malicious commits to more than 5,500 public GitHub repositories. The injected code harvests developer credentials, API keys, SSH keys and other secrets, then exfiltrates them to attacker‑controlled servers.

Why It Matters for TPRM

  • Supply‑chain contamination can flow into downstream applications, expanding risk far beyond the original repo.
  • Stolen secrets enable attackers to pivot into customers’ cloud environments, SaaS platforms, and third‑party integrations.
  • Large‑scale exposure of credentials erodes trust in open‑source components that many enterprises rely on.

Who Is Affected — Software development teams, SaaS providers, cloud‑infrastructure services and any organization that consumes open‑source libraries from compromised repositories.

Recommended Actions — Review recent commits in critical repositories, rotate all exposed credentials, enforce MFA and least‑privilege for developer accounts, deploy automated secret‑scanning tools, and monitor CI/CD pipelines for anomalous activity.

Technical Notes — Attack vector: compromised developer credentials used to push malicious commits (STOLEN_CREDENTIALS). Data types stolen: API keys, tokens, SSH keys, configuration files. No CVE associated. Source: Dark Reading

📰 Original Source
https://www.darkreading.com/application-security/megalodon-malware-infects-thousands-github-repos

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →