A sweeping automated supply chain campaign codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in under six hours marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded.
Security researchers at SafeDep identified that between approximately 11:36 and 17:48 UTC, the Megalodon campaign pushed 5,718 malicious commits across 5,561 repositories using throwaway accounts with randomized eight-character usernames.
To evade detection, the attacker forged author identities build-bot, auto-ci, ci-bot, and pipeline-bot paired with deceptive emails like build-system@noreply[.]dev and ci-bot@automated[.]dev, convincingly mimicking routine CI maintenance bots.
Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were carefully crafted to sail past casual code review.
Megalodon deployed two distinct GitHub Actions workflow variants, both beaconing to the same command-and-control server at 216[.]126[.]225[.]129:8443:
- SysDiag (Mass Variant): Introduced a new
.github/workflows/ci.ymlfile triggering on everypushandpull_request_target, guaranteeing automated execution on any commit across all branches. - Optimize-Build (Targeted Variant): Silently replaced existing workflows with a
workflow_dispatchtrigger, creating a dormant backdoor activatable on demand via the GitHub API producing zero visible CI runs and no failed builds.
Both variants requested elevated permissions id-token: write and actions: read enabling OIDC token theft for cloud identity impersonation.
Once triggered, a 111-line base64-encoded bash payload executed an aggressive, multi-phase credential sweep targeting:
- All CI environment variables,
/proc/*/environ, and PID 1 environment data - AWS access keys, secret keys, and session tokens across all configured profiles
- GCP access tokens via
gcloud auth print-access-token - Live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints
- SSH private keys, Docker auth configs,
.npmrc,.netrc, Kubernetes configs, Vault tokens, and Terraform credentials - Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database connection strings, PEM keys, and cloud tokens
- GitHub Actions OIDC tokens enabling direct cloud identity impersonation
The attack’s most significant downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised its GitHub repository via malicious commit acac5a9, replacing the legitimate Docker build workflow with the Optimize-Build backdoor.
The maintainer, unaware of the poisoning, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm propagating the backdoor to the package registry while application code remained untouched.
Indicators of Compromise (IoC)
| Indicator | Value |
|---|---|
| C2 Server | hxxp://216[.]126[.]225[.]129:8443 |
| Campaign ID | megalodon |
| Author Emails | build-system@noreply[.]dev, ci-bot@automated[.]dev |
| Author Names | build-bot, auto-ci, ci-bot, pipeline-bot |
| Affected npm Versions | @tiledesk/tiledesk-server 2.18.6–2.18.12 |
| Malicious Commit | acac5a9854650c4ae2883c4740bf87d34120c038 |
Mitigations
Organizations should act immediately if any repository received a commit from the flagged author emails on May 18, 2026:
- Revert malicious commits and audit all
.github/workflows/files - Rotate all secrets accessible to GitHub Actions runners tokens, API keys, SSH keys, and cloud credentials
- Audit cloud logs for anomalous OIDC token requests from unknown workflow runs
- Pin GitHub Actions to specific commit SHAs rather than mutable version tags
- Implement workflow approval gates for pull requests from external contributors
SafeDep’s Malysis engine first flagged the campaign after detecting the base64-encoded payload inside a bundled workflow file in @tiledesk/tiledesk-server@2.18.12, underscoring the critical value of automated supply chain scanning tools in catching attacks that bypass traditional code review.
No Comment! Be the first one.