
SafeDep says the Megalodon campaign pushed 5,718 malicious commits into 5,561 GitHub repositories in a six-hour window, using forged CI identities to steal CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets. The activity hit major open-source ecosystems and has prompted npm to invalidate granular access tokens with write access that bypass 2FA, highlighting a broader supply-chain security shock. Separately, nine malicious Polymarket-themed npm packages were used to steal Ethereum/Polygon private keys via a postinstall hook.
This is less a one-off open-source incident than evidence that CI/CD credentials are becoming a first-class attack surface. The key second-order effect is that the initial compromise path is no longer the package registry itself; it is developer endpoint hygiene, which means the breach radius expands from maintainers to every downstream repo that trusts their automation. That makes the market impact asymmetric: cloud/security vendors with secrets scanning, identity posture, and CI hardening should see budget pull-forward, while software vendors with large OSS footprints face a longer remediation cycle and elevated insurance/compliance costs. The near-term risk is operational, not just reputational. Once attackers can harvest OIDC, PATs, and cloud metadata, they can pivot from code tampering into cloud resource abuse, data theft, and ransomware staging within hours to days, creating an impulse for enterprises to temporarily freeze dependency updates and tighten GitHub Actions permissions. That creates a short-term headwind for developer platforms and a tailwind for products that reduce token reliance, enforce trusted publishing, and monitor workflow anomalies. Microsoft is the most exposed public ticker in the set because GitHub sits inside its broader platform trust story and because the attack specifically weaponizes GitHub-native identity and automation. The longer-term contrarian point is that this may be bullish for the secure-by-default ecosystem: the more often these events recur, the more likely enterprises standardize on ephemeral credentials, workload identity, and repository policy controls, which is structurally supportive for network/security spend. The market may still be underpricing the speed at which procurement can shift toward controls that cut off CI secret exfiltration rather than endpoint-only defenses.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request DemoOverall Sentiment
extremely negative
Sentiment Score
-0.88
Ticker Sentiment