CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. SafeDep discovered that between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign […] The post Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Attack News Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours By Guru Baran May 22, 2026 A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. SafeDep discovered that between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories using throwaway accounts with randomized eight-character usernames. The attacker forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, with emails build-system@noreply.dev and ci-bot@automated.dev, mimicking routine automated CI maintenance. Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were deliberately designed to evade casual code review. Megalodon Payload Variants The campaign deployed two distinct GitHub Actions workflow variants sharing the same C2 server at 216.126.225.129:8443: SysDiag (Mass Variant): Added a new .github/workflows/ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches Optimize-Build (Targeted Variant): Replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that the attacker can silently activate on demand via the GitHub API — producing zero visible CI runs and no failed builds. Both variants requested elevated permissions: id-token: write and actions: read, enabling OIDC token theft for cloud identity impersonation. The base64-encoded bash payload — a 111-line script — conducted aggressive, multi-phase credential harvesting once triggered: All CI environment variables, /proc/*/environ, and PID 1 environment data AWS credentials (access keys, secret keys, session tokens) across all configured profiles GCP access tokens via gcloud auth print-access-token Live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints SSH private keys, Docker auth configs, .npmrc, .netrc, Kubernetes configs, Vault tokens, and Terraform credentials Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database connection strings, PEM keys, and cloud tokens GitHub Actions OIDC tokens enabling direct cloud identity impersonation The attack’s most critical downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised the GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor via commit acac5a9. The maintainer, unaware that the repository was poisoned, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Application code remained untouched; only the workflow file changed. Indicators of Compromise (IoC) Indicator Value C2 Server hxxp://216[.]126[.]225[.]129:8443 Campaign ID megalodon Author Emails build-system@noreply[.]dev, ci-bot@automated[.]dev Author Names build-bot, auto-ci, ci-bot, pipeline-bot Mass Workflow .github/workflows/ci.yml (SysDiag) Targeted Workflow Optimize-Build (workflow_dispatch) Affected npm Versions @tiledesk/tiledesk-server 2.18.6–2.18.12 Malicious Commit acac5a9854650c4ae2883c4740bf87d34120c038 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Mitigations Organizations should act immediately if any repository receives a commit from build-system@noreply[.]dev or ci-bot@automated[.]dev on May 18, 2026: Revert the malicious commit and audit all .github/workflows/ files Rotate all secrets accessible to GitHub Actions runners — tokens, API keys, SSH keys, cloud credentials Audit cloud logs for anomalous OIDC token requests from unknown workflow runs Check the Actions tab for unexpected workflow_dispatch executions Pin GitHub Actions to specific commit SHAs rather than mutable version tags Implement workflow approval gates for pull requests from external contributors SafeDep’s Malysis engine first flagged the campaign after detecting the base64-encoded payload inside a bundled workflow file in @tiledesk/tiledesk-server@2.18.12 — underscoring the value of automated supply chain scanning tools in catching attacks that bypass traditional code review. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Latest News Cyber Security News TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs Cyber Security News Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft Cyber Security News Indian Student Data Weaponized for Phishing, Social Engineering, and Financial Fraud Chrome Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! Cyber Security Authorities Have Taken Down “First VPN” Used in Ransomware Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗