A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in under six hours — one of the most aggressive GitHub Actions poisoning campaigns ever recorded. Discovered by researchers at SafeDep, the campaign used throwaway accounts and disguised commits to implant credential-harvesting workflows that targeted cloud secrets, SSH keys, and OIDC tokens.
The Attack in Numbers
Between approximately 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories. Throwaway accounts with randomized eight-character usernames served as the attack infrastructure, all using forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot) with email addresses like build-system@noreply.dev and ci-bot@automated.dev designed to mimic routine automated CI activity.
Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were carefully chosen to blend in with normal development activity and evade casual code review.
Two Distinct Attack Variants
The campaign deployed two GitHub Actions workflow variants, both connecting to the same C2 server at 216.126.225.129:8443:
- SysDiag (Mass Variant): Added a new
.github/workflows/ci.ymlfile triggering on everypushandpull_request_targetevent, ensuring automatic execution on any commit across all branches. This produced highly visible CI runs but cast the widest net. - Optimize-Build (Targeted Variant): Replaced existing workflows with a
workflow_dispatchtrigger — a dormant backdoor that the attacker can silently activate on demand via the GitHub API. This variant produces zero visible CI runs, no failed builds, and leaves no immediate signs of compromise.
Both variants requested elevated permissions (id-token: write and actions: read), enabling OIDC token theft for cloud identity impersonation. The base64-encoded bash payload conducted aggressive multi-phase credential harvesting once triggered, collecting:
- All CI environment variables,
/proc/*/environ, and PID 1 environment data - AWS credentials across all configured profiles
- GCP access tokens and live cloud metadata from AWS IMDSv2, GCP, and Azure IMDS endpoints
- SSH private keys, Docker auth configs,
.npmrc,.netrc, Kubernetes configs, Vault tokens, and Terraform credentials - Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database strings, PEM keys, and cloud tokens
- GitHub Actions OIDC tokens enabling direct cloud identity impersonation without long-lived credentials
Downstream Impact: Tiledesk npm Package Poisoned
The attack’s most significant downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised the Tiledesk GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor variant. The maintainer, unaware of the compromise, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to the npm registry — propagating the backdoor to the public package registry. Application code remained untouched; only the CI workflow was modified, making detection extremely difficult.
Indicators of Compromise
- C2 Server: hxxp://216[.]126[.]225[.]129:8443
- Campaign ID: megalodon
- Author emails: build-system@noreply[.]dev, ci-bot@automated[.]dev
- Affected npm versions: @tiledesk/tiledesk-server 2.18.6–2.18.12
- Malicious commit: acac5a9854650c4ae2883c4740bf87d34120c038
Recommended Mitigations
Organizations should take the following steps immediately if any repository received commits from the identified author emails on May 18, 2026:
- Revert any malicious commits and audit all
.github/workflows/files for unauthorized changes. - Rotate all secrets accessible to GitHub Actions runners — tokens, API keys, SSH keys, and cloud credentials.
- Audit cloud access logs for anomalous OIDC token requests from unexpected workflow runs.
- Check the Actions tab for unexpected
workflow_dispatchexecutions that may indicate silent backdoor activation. - Pin GitHub Actions to specific commit SHAs rather than mutable version tags to prevent tag-based hijacking.
- Implement workflow approval gates for pull requests from external or first-time contributors.
- Deploy automated supply chain scanning tools capable of detecting base64-encoded payloads in workflow files.
SafeDep’s Malysis engine first flagged the campaign after detecting the encoded payload inside a bundled workflow file in the npm package — underscoring the critical role automated scanning plays in catching supply chain attacks that bypass traditional code review processes.