A Pervasive Automated Supply Chain Attack: The “Megalodon” Incident
On May 18, 2026, a sweeping automated supply chain assault designated “Megalodon” targeted GitHub, surreptitiously injecting malevolent CI/CD backdoors into upwards of 5,500 repositories within a mere six hours.
This incident signifies one of the most aggressive campaigns of GitHub Actions poisoning ever chronicled.
SafeDep reported that between approximately 11:36 and 17:48 UTC on the same day, the Megalodon campaign executed 5,718 pernicious commits across 5,561 GitHub repositories.
The attackers utilized ephemeral accounts characterized by randomly generated eight-character usernames.
The perpetrators crafted author identities such as build-bot, auto-ci, ci-bot, and pipeline-bot, employing emails [email protected] [email protected]. This mimicry of routine automated CI maintenance was intentional and cunning.
Commit messages like “ci: add build optimization step” and “chore: optimize pipeline runtime” were specifically designed to elude casual code reviews, enhancing the stealth of the attack.
Megalodon Payload Variants
The Megalodon campaign employed two divergent GitHub Actions workflow variants, both communicating with the same command and control (C2) server located at 216.126.225.129:8443:
- SysDiag (Mass Variant): Introduced a new
.github/workflows/ci.ymlfile set to trigger on everypushandpull_request_target, guaranteeing automated execution on any commit across all branches. - Optimize-Build (Targeted Variant): Substituted existing workflows with a
workflow_dispatchtrigger, crafting a dormant backdoor that the attacker could stealthily activate on demand through the GitHub API, resulting in zero visible CI runs and no failed builds.
Both variants sought elevated permissions: id-token: write and actions: read, thereby facilitating OIDC token theft for cloud identity impersonation.
The core of the attack was a base64-encoded bash payload—a comprehensive 111-line script—that executed aggressive, multi-phase credential harvesting upon activation:
- Captured all CI environment variables, /proc/*/environand data from the PID 1 environment
- Extracted AWS credentials (access keys, secret keys, session tokens) from all configured profiles
- Acquired GCP access tokens through
gcloud auth print-access-token - Obtained live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints
- Secured SSH private keys, Docker authentication configurations,
.npmrc,.netrc, Kubernetes configurations, Vault tokens, and Terraform credentials - Executed a source code grep scan against over 30 regex patterns aimed at finding API keys, JWTs, database connection strings, PEM keys, and cloud tokens
- Accessed GitHub Actions OIDC tokens for direct cloud identity impersonation
The attack’s most significant downstream repercussion impacted Tiledesk, an open-source live chat platform.
The attacker infiltrated the GitHub repository, replacing the legitimate Docker build workflow with the Optimize-Build backdoor via commit acac5a9.
Unaware that the repository had been compromised, the maintainer subsequently published versions 2.18.6 through 2.18.12 of @tiledesk/tiledesk-server to npm, inadvertently propagating the backdoor to the package registry. The application code itself remained intact; only the workflow file was compromised.
Indicators of Compromise (IoC)
| Indicator | Value |
|---|---|
| C2 Server | hxxp://216[.]126[.]225[.]129:8443 |
| Campaign ID | megalodon |
| Author Emails | build-system@noreply[.]dev, ci-bot@automated[.]dev |
| Author Names | build-bot, auto-ci, ci-bot, pipeline-bot |
| Mass Workflow | .github/workflows/ci.yml (SysDiag) |
| Targeted Workflow | Optimize-Build (workflow_dispatch) |
| Affected npm Versions | @tiledesk/tiledesk-server 2.18.6–2.18.12 |
| Malicious Commit | acac5a9854650c4ae2883c4740bf87d34120c038 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigations
Organizations must urgently respond if any repository recorded a commit from build-system@noreply[.]dev or ci-bot@automated[.]dev on May 18, 2026:
- Revert the malicious commit and meticulously audit all
.github/workflows/files. - Rotate all secrets that are accessible to GitHub Actions runners—including tokens, API keys, SSH keys, and cloud credentials.
- Audit cloud logs for any anomalous OIDC token requests stemming from unknown workflow executions.
- Review the Actions tab for any unexpected
workflow_dispatchactions. - Pin GitHub Actions to specific commit SHAs, rather than mutable version tags.
- Establish workflow approval gates for pull requests submitted by external contributors.
SafeDep’s Malysis engine first identified the campaign by detecting the base64-encoded payload within a bundled workflow file in@tiledesk/[email protected], underscoring the indispensable role of automated supply chain scanning tools in intercepting attacks that elude traditional code reviews.
Source link: Cybersecuritynews.com.
