On May 18, 2026, between 11:36 and 17:48 UTC — a six-hour window — a supply chain attacker dubbed Megalodon injected malicious GitHub Actions workflows into 5,561 open-source repositories via 5,718 commits, deploying a credential-exfiltration payload capable of stealing cloud provider keys, SSH private keys, Docker credentials, and dozens of other secrets from CI/CD (Continuous Integration / Continuous Delivery — automated pipelines that build, test, and deploy software) environments. Researchers at SafeDep discovered the campaign after finding a backdoored version of the npm (Node Package Manager — the primary package registry for the JavaScript ecosystem) package @tiledesk/tiledesk-server that traced back to a compromised GitHub repository. The attacker exfiltrated secrets to a command-and-control server at 216.126.225.129:8443. Any repository in the attack window with CI/CD environment variables should be treated as fully compromised.
// 01 Megalodon: Technical Details
The attack exploited compromised GitHub credentials — stolen Personal Access Tokens (PATs — long-lived authentication tokens used to authenticate to the GitHub API without a password) or deploy keys — to bypass pull request review requirements by pushing directly to the master or main branch of target repositories. This direct-push technique sidesteps code review workflows entirely, as most repository protection policies allow collaborators with sufficient permission to push directly without review.
To avoid detection, Megalodon forged commit author metadata to impersonate automated pipeline accounts:
- Fake author names:
build-bot,auto-ci,ci-bot,pipeline-bot - Spoofed email addresses:
build-system@noreply.dev,ci-bot@automated.dev - Commit messages:
"ci: add build optimization step","chore: optimize pipeline runtime"— wording indistinguishable from legitimate CI maintenance commits
The injected payloads appeared in .github/workflows/ directories as new or replacement GitHub Actions YAML files. SafeDep identified two distinct payload variants:
Variant 1 — SysDiag (mass execution): A workflow triggered on every push and pull_request event, maximizing the number of CI runs that execute the payload across all contributor activity.
Variant 2 — Optimize-Build (targeted dormant backdoor): Replaces existing workflow files with workflow_dispatch-triggered variants. These backdoors remain dormant until the attacker manually triggers them via the GitHub API, providing on-demand access to the CI/CD environment of specific high-value repositories.
Both variants use base64-encoded bash payloads — encoding the malicious shell commands in Base64 (a binary-to-text encoding scheme) to defeat content-based scanning that looks for recognizable attack strings in workflow files.
The exfiltration payload scans for secrets using 30+ regex (regular expression — pattern-matching rules) patterns targeting:
- AWS access keys and secret keys, instance role credentials
- Google Cloud Platform (GCP) access tokens and instance metadata
- Azure credentials and managed identity tokens
- OIDC (OpenID Connect) tokens
- SSH private keys
- Docker configuration files (which may contain registry credentials)
- Kubernetes configuration files (
kubeconfig) with cluster authentication data - HashiCorp Vault tokens
- Terraform state credentials
- GitHub and Bitbucket personal access tokens
.npmrcfiles (which may contain npm publish tokens for package registries)- Embedded API keys and JWT (JSON Web Tokens) in source code
All captured secrets are sent to the C2 server at 216.126.225.129:8443.
// 02 Exploitation Status and Threat Landscape
Megalodon's six-hour campaign represents one of the largest known single-day GitHub supply chain attacks by repository count. The campaign is distinct from but stylistically similar to previous supply chain attacks attributed to TeamPCP (a threat actor known for CI/CD credential theft campaigns). SafeDep researchers assessed that Megalodon is a different threat actor copying TeamPCP's behavioral patterns rather than TeamPCP itself, citing differences in code implementation despite surface-level similarity.
The downstream npm supply chain impact is the most immediately dangerous aspect: @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 were published to the npm registry with an embedded backdoor. A legitimate maintainer unknowingly built and published these versions from the compromised GitHub repository — the backdoor was entirely hidden in the CI/CD workflow layer, not in any application code visible to code reviewers or automated scanning tools that only analyze source files.
This illustrates a key characteristic of CI/CD supply chain attacks: they target the build environment, not the source code itself. Existing defenses focused on source code scanning, dependency analysis (SCA — Software Composition Analysis), and static analysis miss this class of attack entirely.
// 03 Who Is Affected
Directly compromised repositories (confirmed):
- 5,561 GitHub repositories across multiple organizations
- 9 Tiledesk repositories (including the npm-published server package)
- 8 Black-Iron-Project repositories
- WISE-Community projects and numerous smaller open-source projects
Downstream npm consumers:
Any project that installed @tiledesk/tiledesk-server versions 2.18.6–2.18.12 between May 18 and the time the poisoned versions were removed from npm.
Scope of risk:
Because the attack targets GitHub Actions workflows rather than application code, the vulnerability is language-agnostic. Repositories in any programming language using GitHub Actions for CI/CD are equally at risk. The attack window is May 18, 2026, 11:36–17:48 UTC — repositories that ran CI/CD pipelines during this window from compromised repositories should be considered to have had their CI/CD secrets exposed.
// 04 What You Should Do Right Now
- Audit your GitHub repositories for Megalodon indicators. Check all
.github/workflows/files in your repositories for commits made on May 18, 2026, between 11:36 and 17:48 UTC by unfamiliar authors or accounts namedbuild-bot,auto-ci,ci-bot, orpipeline-bot. Review commit email addresses forbuild-system@noreply.devorci-bot@automated.dev. Use:
git log --all --author="build-bot|auto-ci|ci-bot|pipeline-bot" --since="2026-05-18T11:00" --until="2026-05-18T18:00"
- Rotate all CI/CD secrets and environment variables immediately if your repository ran pipelines during the attack window. SafeDep's researchers advise developers to "consider ALL of your CI/CD variables pwned." This includes:
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
GOOGLE_APPLICATION_CREDENTIALS / GCP_SA_KEY
AZURE_CLIENT_SECRET / AZURE_CREDENTIALS
SSH_PRIVATE_KEY
DOCKER_PASSWORD / DOCKER_HUB_TOKEN
NPM_TOKEN / NPM_AUTH_TOKEN
GITHUB_TOKEN (legacy PATs)
KUBECONFIG
VAULT_TOKEN
- Check npm for poisoned package versions. If you use
@tiledesk/tiledesk-server, pin to a version outside the 2.18.6–2.18.12 range and verify yourpackage-lock.jsondoes not reference any of those versions:
npm ls @tiledesk/tiledesk-server
- Implement branch protection rules on all production branches. Require pull request reviews for all pushes to
mainandmaster. Enable "Require review from Code Owners" and restrict who can bypass branch protection. This would have prevented Megalodon's direct-push attack vector.
- Audit GitHub repository collaborator permissions and PAT access. Run a permissions audit to identify PATs with write access to your repositories. Revoke any tokens that are no longer actively used, and rotate all tokens that have push access as a precaution.
- Monitor for unauthorized cloud API activity. If AWS, GCP, or Azure credentials were in your CI/CD environment during the attack window, check CloudTrail (AWS), Cloud Audit Logs (GCP), or Azure Activity Log for API calls from unexpected regions, IP addresses, or services — particularly around and after May 18, 2026.
// 05 Background: Understanding the Risk
CI/CD workflow injection is a class of supply chain attack that targets the build and deployment pipeline rather than the application itself. It is particularly dangerous because:
Code review does not catch it. CI/CD workflow files in .github/workflows/ are often reviewed less rigorously than application code, treated as boilerplate maintenance rather than security-sensitive configuration. Megalodon's use of innocent-sounding commit messages and fake pipeline bot identities exploits this tendency.
Scanning tools miss it. SAST (Static Application Security Testing), SCA, and dependency scanning tools analyze source code and package manifests — not the commands executed during CI/CD runs. A backdoored GitHub Actions step that runs a base64-decoded bash command is invisible to tools that only inspect source files.
The impact is disproportionate. CI/CD pipelines typically have elevated credentials: they need to authenticate to cloud providers to deploy infrastructure, push to package registries to publish releases, and access secret management systems to retrieve application secrets. A single compromised CI/CD runner can yield credentials that provide access across an entire organization's cloud estate.
This attack pattern has direct precedents: the 2020 SolarWinds compromise involved injecting malicious code into the build pipeline; the 2021 Codecov breach involved a compromised CI script that harvested environment variables from thousands of customer pipelines. Megalodon applies the same principle at GitHub Actions scale.
// 06 Conclusion
The Megalodon campaign demonstrates that supply chain attackers are moving faster and at larger scale than most organizations' detection and response capabilities can match — 5,561 repositories in six hours with language-agnostic impact across every cloud platform. Any organization with repositories that ran GitHub Actions pipelines on May 18, 2026 between 11:36 and 17:48 UTC must treat all CI/CD secrets from that period as compromised and rotate them immediately. Longer-term, mandatory pull request reviews, PAT scope reduction, and workflow file auditing are the structural mitigations that prevent the next Megalodon-style campaign from succeeding.
For any query contact us at contact@cipherssecurity.com