Megalodon Malware Infects Over 5,500 GitHub Repositories, Harvesting Developer Secrets
What Happened — In a six‑hour window the Megalodon malware silently pushed malicious commits to more than 5,500 public GitHub repositories. The injected code harvests developer credentials, API keys, SSH keys and other secrets, then exfiltrates them to attacker‑controlled servers.
Why It Matters for TPRM —
- Supply‑chain contamination can flow into downstream applications, expanding risk far beyond the original repo.
- Stolen secrets enable attackers to pivot into customers’ cloud environments, SaaS platforms, and third‑party integrations.
- Large‑scale exposure of credentials erodes trust in open‑source components that many enterprises rely on.
Who Is Affected — Software development teams, SaaS providers, cloud‑infrastructure services and any organization that consumes open‑source libraries from compromised repositories.
Recommended Actions — Review recent commits in critical repositories, rotate all exposed credentials, enforce MFA and least‑privilege for developer accounts, deploy automated secret‑scanning tools, and monitor CI/CD pipelines for anomalous activity.
Technical Notes — Attack vector: compromised developer credentials used to push malicious commits (STOLEN_CREDENTIALS). Data types stolen: API keys, tokens, SSH keys, configuration files. No CVE associated. Source: Dark Reading