Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours
Cybersecurity NewsArchived May 22, 2026✓ Full text saved
A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. SafeDep discovered that between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign […] The post Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Attack News
Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours
By Guru Baran
May 22, 2026
A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded.
SafeDep discovered that between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories using throwaway accounts with randomized eight-character usernames.
The attacker forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, with emails build-system@noreply.dev and ci-bot@automated.dev, mimicking routine automated CI maintenance.
Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were deliberately designed to evade casual code review.
Megalodon Payload Variants
The campaign deployed two distinct GitHub Actions workflow variants sharing the same C2 server at 216.126.225.129:8443:
SysDiag (Mass Variant): Added a new .github/workflows/ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches
Optimize-Build (Targeted Variant): Replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that the attacker can silently activate on demand via the GitHub API — producing zero visible CI runs and no failed builds.
Both variants requested elevated permissions: id-token: write and actions: read, enabling OIDC token theft for cloud identity impersonation.
The base64-encoded bash payload — a 111-line script — conducted aggressive, multi-phase credential harvesting once triggered:
All CI environment variables, /proc/*/environ, and PID 1 environment data
AWS credentials (access keys, secret keys, session tokens) across all configured profiles
GCP access tokens via gcloud auth print-access-token
Live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints
SSH private keys, Docker auth configs, .npmrc, .netrc, Kubernetes configs, Vault tokens, and Terraform credentials
Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database connection strings, PEM keys, and cloud tokens
GitHub Actions OIDC tokens enabling direct cloud identity impersonation
The attack’s most critical downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised the GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor via commit acac5a9.
The maintainer, unaware that the repository was poisoned, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Application code remained untouched; only the workflow file changed.
Indicators of Compromise (IoC)
Indicator Value
C2 Server hxxp://216[.]126[.]225[.]129:8443
Campaign ID megalodon
Author Emails build-system@noreply[.]dev, ci-bot@automated[.]dev
Author Names build-bot, auto-ci, ci-bot, pipeline-bot
Mass Workflow .github/workflows/ci.yml (SysDiag)
Targeted Workflow Optimize-Build (workflow_dispatch)
Affected npm Versions @tiledesk/tiledesk-server 2.18.6–2.18.12
Malicious Commit acac5a9854650c4ae2883c4740bf87d34120c038
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigations
Organizations should act immediately if any repository receives a commit from build-system@noreply[.]dev or ci-bot@automated[.]dev on May 18, 2026:
Revert the malicious commit and audit all .github/workflows/ files
Rotate all secrets accessible to GitHub Actions runners — tokens, API keys, SSH keys, cloud credentials
Audit cloud logs for anomalous OIDC token requests from unknown workflow runs
Check the Actions tab for unexpected workflow_dispatch executions
Pin GitHub Actions to specific commit SHAs rather than mutable version tags
Implement workflow approval gates for pull requests from external contributors
SafeDep’s Malysis engine first flagged the campaign after detecting the base64-encoded payload inside a bundled workflow file in @tiledesk/tiledesk-server@2.18.12 — underscoring the value of automated supply chain scanning tools in catching attacks that bypass traditional code review.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access
Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now!
Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware
Latest News
Cyber Security News
TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs
Cyber Security News
Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft
Cyber Security News
Indian Student Data Weaponized for Phishing, Social Engineering, and Financial Fraud
Chrome
Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now!
Cyber Security
Authorities Have Taken Down “First VPN” Used in Ransomware Attacks