How did Megalodon infect thousands of GitHub repos?

Megalodon: supply-chain malware via automated commits

More than 5,500 GitHub repositories were reportedly infected in a supply-chain attack dubbed Megalodon, attributed to malicious automated commits.

A supply-chain attack works when adversaries compromise software “upstream”—for example, a dependency or widely used code—and then malicious content spreads downstream to many projects that trust that upstream source. In this case, the mechanism highlighted in the story is automation: rather than manually submitting a small number of poisoned updates, the attackers used automated commits to push malware into a large number of repositories.

Why this matters for developers

The scale is the core threat signal:

• Mass compromise: Thousands of repositories can become a stepping stone for broader intrusion, especially if any of the infected projects supply dependencies or build artifacts.
• Trust exploitation: GitHub repositories are often treated as credible sources; automated changes can be harder to notice quickly.
• Downstream blast radius: Even if only a subset of the infected repos are used in production workflows, the odds of reaching critical code or tooling rise sharply with the number affected.

What security teams should do next

While the excerpt doesn’t list mitigation steps, the pattern strongly suggests defenders should prioritize:

• scanning recently changed dependencies and CI/build scripts,
• reviewing commit histories for suspicious automated activity,
• and verifying provenance for packages and releases.

The provided story identifies the attack moniker and that it relied on automated commits on May 18, but it does not specify the exact payload, affected dependency types, or how maintainers were able to detect or remediate the changes.