In May 2026, cybersecurity researchers uncovered one of the largest software supply chain attacks ever observed on GitHub. Known as the Megalodon campaign, the attack saw threat actors inject malicious GitHub Actions workflows into more than 5,500 repositories through over 5,700 malicious commits in just a few hours.