Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Cybersecurity researchers have revealed details of a new automated campaign called Megalodon that pushed 5,718 malicious commits to 5,561 GitHub repositories during the six-hour window.

“Using fake accounts and fake author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected a GitHub Actions workflow containing base64-encoded bash payloads that extract CI secrets, cloud credentials, SSH keys, OIDC code secret tokens to the source C2 server. 216.126.225[.]129:8443,” SafeDep said in the report.

The complete list of data collected by the malware is below –

• CI environment variables, /proc/*/environ, and PID 1 environment
• Amazon Web Services (AWS) authentication.
• Google Cloud access tokens
• Role authentication obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints
• SSH private keys
• Docker and Kubernetes configuration
• Vault Tokens
• Terraform guarantees
• The history of the shell
• API keys, database connection strings, JWTs, PEM private keys, and cloud tokens such as over 30 secret expression patterns
• GitHub Actions OIDC token request URL and token
• GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
• .env files, credentials.json, service-account.json, and other configuration files

One of the affected packages is @tiledesk/tiledesk-server, which includes a Base64-encoded bash upload inside the GitHub Actions workflow file. In total, 5,718 commits were pushed to 5,561 different repositories on May 18, 2026, between 11:36 am and 5:48 pm UTC.

“The attacker circulated four script names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking standard CI maintenance,” SafeDep said. “The attacker used disposable GitHub accounts with 8 random usernames (eg, rkb8el9r, bhlru9nr, lo6wt4t6), set the git config to create an author identity, and pushed with vulnerable PATs or deployment keys.”

Two types of payload were seen as part of the larger campaign: SysDiag, a batch variant that adds a new workflow that is triggered for every push and pull request, and Optimize-Build, a targeted variant that works only on workflow_dispatch, the GitHub Actions trigger that allows users to manually implement workflows. In the case of Tiledesk, the target path is used to target the CI/CD runners, not if the npm package is installed.

“The tradeoff is achieved: open: the push will ensure the execution of all the commitment of knowing, hitting the target without intervention,” added SafeDep. “Workflow_dispatch sacrifices that for operational security. With 5,700+ repositories at risk, even a small component that generates a usable GITHUB_TOKEN gives an attacker enough targets to trigger if needed.”

The result is that once the repository owner puts together a compromise, the malware runs within their CI/CD pipelines and spreads further, allowing data and privacy theft at scale.

“We have entered a new era of supply chain attacks, and TeamPCP compromising GitHub was just the beginning,” said Moshe Siman Tov Bustan of OX Security. “What follows is an endless wave, a tsunami of attacks on developers around the world.”

The development comes as TeamPCP has deployed a chain of linked software to infect hundreds of readily available tools, worm its way through several environments and trick victims into profiting in some cases. Microsoft-owned GitHub has become the latest addition to the group’s long list of victims, which includes TanStack, Grafana Labs, OpenAI, and Mistral AI.

The TeamPCP attack inspired a spiraling exploit of popular open source projects, where one compromise fed the next, allowing the malware to spread like wildfire in a worm-like fashion. This group appears to be financially motivated and has established relationships with BreachForums and other hacking groups such as LAPSUS$ and VECT.

In addition, the group appears to be nationally motivated, as evidenced by the deployment of wiper malware on optical devices located in Iran and Israel.

Fallout from the TeamPCP attack and the Mini Shai-Hulud worm caused npm to disable granular access tokens for write access that bypasses two-factor authentication (2FA). NPM also encourages users to switch to Trusted Publishing to reduce reliance on such tokens.

“By burning all bypass-2FA tokens on the platform, npm terminates the credentials the worm has collected,” security firm Socket said. “The caretakers put out new ones. The worm, still active in the wild, goes back to self-harvesting. The reset buys breathing space. We don’t close the bottom hole.”

Workgroups like Megalodon and TeamPCP compromise legitimate packages to distribute malware. Conversely, a dump account named “polymarketdev” was found to publish nine malicious packages of Polymarket trading CLI tools within a 30-second window to steal victims’ Ethereum/Polygon private keys via an installation hook.

As of writing, they are still available for download from npm. The package names are below –

• polymarket-trading-cli
• polymarket-terminal
• polymarket-trade
• polymarket-auto-trade
• polymarket-copy-trading
• polymarket-bot
• polymarket-claude-code
• polymarket-ai-agent
• polymarket seller

“Upon installation, the postinstall script shows a fake onboarding wallet that asks the user to paste their private key, saying ‘it’s always encrypted,'” SafeDep said. “Script SEND raw key in plaintext to Cloudflare Worker at hxxps://polymarketbot.polymarketdev.workers[.]dev/v1/wallets/keys.”

“The attacker built a trading CLI that works for the theft function. Social engineering is responsible for the attack: the command to install the post looks like a normal boarding wallet, the mask simulates a secure installation, and the GitHub repo gives false credibility”