Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours

A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded.

SafeDep discovered that between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories using throwaway accounts with randomized eight-character usernames.

The attacker forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, with emails build-system@noreply.dev and ci-bot@automated.dev, mimicking routine automated CI maintenance.

Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were deliberately designed to evade casual code review.

Megalodon Payload Variants

The campaign deployed two distinct GitHub Actions workflow variants sharing the same C2 server at 216.126.225.129:8443:

• SysDiag (Mass Variant): Added a new .github/workflows/ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches
• Optimize-Build (Targeted Variant): Replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that the attacker can silently activate on demand via the GitHub API — producing zero visible CI runs and no failed builds.

Both variants requested elevated permissions: id-token: write and actions: read, enabling OIDC token theft for cloud identity impersonation.

The base64-encoded bash payload — a 111-line script — conducted aggressive, multi-phase credential harvesting once triggered:

• All CI environment variables, /proc/*/environ, and PID 1 environment data
• AWS credentials (access keys, secret keys, session tokens) across all configured profiles
• GCP access tokens via gcloud auth print-access-token
• Live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints
• SSH private keys, Docker auth configs, .npmrc, .netrc, Kubernetes configs, Vault tokens, and Terraform credentials
• Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database connection strings, PEM keys, and cloud tokens
• GitHub Actions OIDC tokens enabling direct cloud identity impersonation

The attack’s most critical downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised the GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor via commit acac5a9.

The maintainer, unaware that the repository was poisoned, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Application code remained untouched; only the workflow file changed.

Indicators of Compromise (IoC)

Mitigations

Organizations should act immediately if any repository receives a commit from build-system@noreply[.]dev or ci-bot@automated[.]dev on May 18, 2026:

1. Revert the malicious commit and audit all .github/workflows/ files
2. Rotate all secrets accessible to GitHub Actions runners — tokens, API keys, SSH keys, cloud credentials
3. Audit cloud logs for anomalous OIDC token requests from unknown workflow runs
4. Check the Actions tab for unexpected workflow_dispatch executions
5. Pin GitHub Actions to specific commit SHAs rather than mutable version tags
6. Implement workflow approval gates for pull requests from external contributors

SafeDep’s Malysis engine first flagged the campaign after detecting the base64-encoded payload inside a bundled workflow file in @tiledesk/tiledesk-server@2.18.12 — underscoring the value of automated supply chain scanning tools in catching attacks that bypass traditional code review.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours appeared first on Cyber Security News.