Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Ravie LakshmananMay 22, 2026Supply Chain Attack / Cloud Security
Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
"Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443," SafeDep said in a report.
The complete list of data harvested by the malware is below -
CI environment variables, /proc/*/environ, and PID 1 environment Amazon Web Services (AWS) credentials Google Cloud access tokens Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints SSH private keys Docker and Kubernetes configurations Vault tokens Terraform credentials Shell history API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns GitHub Actions OIDC token request URL and token GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens .env files, credentials.json, service-account.json, and other configuration files
One of the impacted packages is @tiledesk/tiledesk-server, which bundles a Base64-encoded bash payload within a GitHub Actions workflow file. In all, 5,718 commits were pushed against 5,561 distinct repositories on May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC.
"The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance," SafeDep said. "The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys."
Two payload variants have been observed as part of the large-scale campaign: SysDiag, a mass variant which adds a new workflow that's triggered on every push and pull request, and Optimize-Build, a targeted variant that activates only on workflow_dispatch, a GitHub Actions trigger that allows users to manually run a workflow on-demand. In the case of Tiledesk, the targeted approach is used to target CI/CD runners, and not when the npm package is installed.
"The tradeoff is reach: on: push would guarantee execution on every commit to master, hitting more targets without intervention," SafeDep added. "Workflow_dispatch sacrifices that for operational security. With 5,700+ repos compromised, even a small fraction yielding a usable GITHUB_TOKEN gives the attacker enough targets for on-demand triggering."
The result is that once a repository owner merges the commit, the malware executes inside their CI/CD pipelines and spreads further, enabling the theft of credentials and secrets at scale.
"We've entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning," OX Security's Moshe Siman Tov Bustan said. "What's coming next is an endless wave, a tsunami of cyber attacks on developers worldwide."
The development comes as TeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools, worming their way through several ecosystems and extorting victims for profit in some cases. Microsoft-owned GitHub has become the latest addition to the group's long list of victims, which also includes TanStack, Grafana Labs, OpenAI, and Mistral AI.
TeamPCP attacks have fueled a cyclical exploitation of popular open-source projects, where one compromise feeds the next, allowing the malware to spread like wildfire in a worm-like fashion. The group also appears to be financially motivated and has established partnerships with BreachForums and other extortion crews like LAPSUS$ and VECT.
What's more, the group seems to be geopolitically motivated as well, as evidenced by the deployment of wiper malware upon detecting machines located in Iran and Israel.
The fallout from TeamPCP's attack spree and the Mini Shai-Hulud worm has prompted npm to invalidate granular access tokens with write access that bypasses two-factor authentication (2FA). NPM is also urging users to switch to Trusted Publishing to reduce reliance on such tokens.
"By burning every bypass-2FA token on the platform, npm cuts off the credentials the worm has already collected," application security firm Socket said. "Maintainers issue new ones. The worm, still active in the wild, goes back to harvesting them. The reset buys breathing room. It does not close the underlying hole."
Activity clusters like Megalodon and TeamPCP involve compromising legitimate packages to distribute malware. In contrast, a throwaway account named "polymarketdev" has been found to publish nine malicious npm packages impersonating Polymarket trading CLI tools within a 30-second window to steal victims' Ethereum/Polygon private keys via a postinstall hook.
As of writing, they are still available for download from npm. The names of the packages are below -
polymarket-trading-cli polymarket-terminal polymarket-trade polymarket-auto-trade polymarket-copy-trading polymarket-bot polymarket-claude-code polymarket-ai-agent polymarket-trader
"On install, a postinstall script displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming 'it stays encrypted,'" SafeDep said. "The script POSTs the raw key in plaintext to a Cloudflare Worker at hxxps://polymarketbot.polymarketdev.workers[.]dev/v1/wallets/keys."
"The attacker built a functional trading CLI around a credential theft operation. Social engineering carries the attack: the postinstall prompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility"
Update
In a follow-up analysis published on May 23, 2026, Hudson Rock revealed that the Megalodon supply chain attack originated from information sealer infections that enabled the theft of GitHub credentials, allowing the threat actor behind the campaign to push the malicious payload.
Specifically, more than 33% of the unique usernames associated with the affected repositories -- i.e., 331 out of 978 -- have been found to be "direct matches to computers infected by infostealers," the company said. Even in scenarios where there didn't exist an exact overlap based solely on usernames, the email addresses tied to the GitHub accounts have unearthed additional stealer compromises.
"This leads us to a definitive conclusion: The affected accounts enabling the Megalodon supply chain attack are exclusively sourced from infostealer data," Hudson Rock said. "The Megalodon campaign is a stark reminder that if developers and employees are infected with infostealers, platforms like GitHub become the launchpad for devastating cascading events."
(The story was updated after publication on May 24, 2026, with new insights from Hudson Rock.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet Share Share Share
SHARE Cloud security, Credential Theft, cybersecurity, GitHub, GitHub Actions, Malware, NPM, Open Source, Supply Chain Attack
⚡ Top Stories This Week
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
The New Phishing Click: How OAuth Consent Bypasses MFA
Developer Workstations Are Now Part of the Software Supply Chain
⭐ Featured Resources
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Discover How to Navigate the Era of Constant Cyber Exposure
Cybersecurity Webinars
With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register
Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register
⚡ Latest News
Cybersecurity Resources
AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as