Two concurrent supply chain campaigns — Glassworm and Megalodon — targeted GitHub repositories, CI/CD pipelines, npm, PyPI, and VSCode-compatible extension marketplaces during the same reporting window, representing the highest-priority risk cluster this week. Glassworm, attributed to a Russia-linked threat group and dismantled May 26, 2026, spent over a year seeding malicious extensions and poisoned packages to harvest developer credentials and establish pipeline footholds. Megalodon executed a six-hour automated mass-compromise of 5,500+ public GitHub repositories, extracting GitHub Actions secrets and cloud credentials at scale.