Megalodon Malware Breaches Over 5,500 GitHub Repositories in Record Time
On May 18, 2026, a highly sophisticated supply chain attack, dubbed Megalodon, targeted GitHub repositories, compromising over 5,500 projects within a mere six-hour window. This incident stands as one of the most aggressive GitHub Actions poisoning campaigns to date, highlighting the escalating threats within the software development ecosystem.
Attack Overview
The Megalodon campaign unfolded between 11:36 and 17:48 UTC, during which 5,718 malicious commits were pushed to 5,561 GitHub repositories. The attackers utilized disposable accounts with randomized eight-character usernames, forging author identities such as build-bot, auto-ci, ci-bot, and pipeline-bot. These identities were associated with emails like `[email protected]` and `[email protected]`, mimicking routine automated continuous integration (CI) maintenance activities.
Commit messages were crafted to evade casual code reviews, with phrases like ci: add build optimization step and chore: optimize pipeline runtime. This strategic deception aimed to blend the malicious commits seamlessly into the normal development workflow, reducing the likelihood of detection.
Malicious Payload Variants
The campaign deployed two distinct GitHub Actions workflow variants, both communicating with a command-and-control (C2) server at `216.126.225.129:8443`:
1. SysDiag (Mass Variant): This variant added a new `.github/workflows/ci.yml` file configured to trigger on every `push` and `pull_request_target` event. This setup ensured automated execution on any commit across all branches, facilitating widespread deployment of the malicious payload.
2. Optimize-Build (Targeted Variant): In this approach, existing workflows were replaced with a `workflow_dispatch` trigger. This created a dormant backdoor that the attacker could silently activate on demand via the GitHub API, producing no visible CI runs or failed builds, thereby maintaining a low profile.
Both variants requested elevated permissions, specifically `id-token: write` and `actions: read`. These permissions enabled OpenID Connect (OIDC) token theft, allowing the attackers to impersonate cloud identities and gain unauthorized access to cloud resources.
Payload Execution and Credential Harvesting
Once triggered, the base64-encoded bash payload—a 111-line script—executed a multi-phase credential harvesting operation:
– Environment Variables: Collected all CI environment variables, `/proc//environ`, and PID 1 environment data.
– Cloud Credentials: Harvested AWS credentials (access keys, secret keys, session tokens) across all configured profiles, GCP access tokens via `gcloud auth print-access-token`, and live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints.
– Sensitive Files: Extracted SSH private keys, Docker authentication configurations, `.npmrc`, `.netrc`, Kubernetes configurations, Vault tokens, and Terraform credentials.
– Source Code Analysis: Scanned source code using over 30 regex patterns targeting API keys, JSON Web Tokens (JWTs), database connection strings, PEM keys, and cloud tokens.
– OIDC Tokens: Captured GitHub Actions OIDC tokens, enabling direct cloud identity impersonation.
Impact on Open-Source Projects
The attack’s most critical downstream impact targeted Tiledesk, an open-source live chat platform. The attacker compromised the Tiledesk GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor via commit `acac5a9`. Unaware of the compromise, the maintainer subsequently published versions 2.18.6 through 2.18.12 of `@tiledesk/tiledesk-server` to npm, propagating the backdoor to the package registry. Notably, the application code remained untouched; only the workflow file was altered.
Indicators of Compromise (IoC)
To assist in identifying potential compromises, the following indicators have been associated with the Megalodon campaign:
– C2 Server: `hxxp://216[.]126[.]225[.]129:8443`
– Campaign ID: `megalodon`
– Author Emails: `build-system@noreply[.]dev`, `ci-bot@automated[.]dev`
– Author Names: `build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`
– Mass Workflow: `.github/workflows/ci.yml` (SysDiag)
– Targeted Workflow: Optimize-Build (`workflow_dispatch`)
– Affected npm Versions: `@tiledesk/tiledesk-server` 2.18.6–2.18.12
– Malicious Commit: `acac5a9854650c4ae2883c4740bf87d34120c038`
Broader Context and Similar Incidents
The Megalodon attack is part of a growing trend of sophisticated supply chain attacks targeting open-source platforms. Previous incidents include:
– BoryptGrab Stealer: Spread via fake GitHub repositories, this malware targeted browser and cryptocurrency wallet data, exploiting search engine manipulation to lure victims. ([cybersecuritynews.com](https://cybersecuritynews.com/boryptgrab-stealer-spreads-via-fake-github-repositories/?utm_source=openai))
– GitVenom Campaign: Abused thousands of GitHub repositories to infect users by disguising malicious payloads as legitimate projects, compromising systems globally with cryptocurrency stealers and remote access trojans. ([cybersecuritynews.com](https://cybersecuritynews.com/gitvenom-abusing-thousands-of-github-repositories/?utm_source=openai))
– Shai-Hulud 2.0 Malware: Compromised over 30,000 GitHub repositories, stealing approximately 500 GitHub usernames and tokens, demonstrating the increasing targeting of developer tools.
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
