Megalodon
Megalodon is a malware campaign targeting GitHub-based software supply chains by backdooring CI/CD workflows in repositories. SafeDep reported that on May 18, 2026, the campaign pushed 5,718 malicious commits to 5,561 GitHub repositories within roughly six hours. The attacker used forged bot-like identities such as build-bot, auto-ci, ci-bot, and pipeline-bot, with commit metadata including build-system@noreply.dev and ci-bot@automated.dev, and benign-looking commit messages to disguise the changes.
The malware operates by modifying GitHub Actions workflows. Reported variants include a primary SysDiag workflow that adds a malicious .github/workflows/ci.yml file triggered on push and pull_request_target events, and a secondary Optimize-Build variant that replaces existing workflows with a dormant workflow_dispatch backdoor that can be activated later through the GitHub API. The workflows contained a base64-encoded bash payload, described as a 111-line script, and requested elevated GitHub Actions permissions including id-token: write and actions: read.
When executed in CI/CD environments, Megalodon harvests secrets and environment data. Reported targets include CI/CD secrets, GitHub Actions OIDC tokens, cloud credentials from AWS, Google Cloud, and Azure, metadata service credentials, SSH private keys, Docker authentication data, Kubernetes configs, Vault tokens, Terraform credentials, .npmrc and .netrc files, Bitbucket and GitHub tokens, shell history, system logs, and source code secrets identified through more than 30 regex patterns. Stolen data was reported as exfiltrated to command-and-control infrastructure at 216.126.225.129:8443, including via HTTP POST requests, with reporting also noting use of the parameter string "megalodon."
A significant downstream impact described in the reporting involved the open source project Tiledesk. SafeDep said the attacker compromised the Tiledesk GitHub repository rather than its npm account, replaced a legitimate Docker build workflow with the malicious backdoor, and caused the maintainer to unknowingly publish poisoned @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12. SafeDep first detected the campaign in a bundled workflow file in @tiledesk/tiledesk-server@2.18.12. Other affected repositories reportedly included projects associated with Black-Iron-Project and WISE-Community.
Researchers noted superficial similarities to TeamPCP and the earlier Shai-Hulud activity, including fake bot identities and a hardcoded Sept. 17, 2001 commit date, but the provided reporting states attribution remains unconfirmed and there is no direct evidence tying Megalodon to TeamPCP. High-confidence indicators mentioned in the reporting include the C2 address 216.126.225.129:8443, the forged emails build-system@noreply.dev and ci-bot@automated.dev, the malicious Tiledesk commit acac5a9854650c4ae2883c4740bf87d34120c038, and a shared base64 payload prefix reported as Q0I9Imh0dHA6Ly8yMTYu.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-48027 was assigned to the malicious extension and added to CISA’s Known Exploited Vulnerabilities catalog. CISA said organizations should treat any machine that ran the compromised extension as fully compromised.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
cybersecurity startup SafeDep flagged an automated malware campaign, codenamed "Megalodon," that unfolded on May 18 in a six-hour window. In that brief amount of time, Megalodon managed to push 5,718 malicious commits to 5,561 GitHub repositories.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesJFrog identified the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
The campaign, which JFrog has dubbed "IronWorm," targets developers through compromised npm publishing workflows and malicious package updates.
Technical Analysis The malware spreads via fake GitHub pull requests. Each commit uses a hardcoded date (September 17, 2001) paired with a fake bot identity: ci-bot@automated.dev, or build-system@noreply.dev.
Execution
1 techniqueThe malware steals AWS configurations, access keys, profiles and regions by running the “aws configure list-profiles” command
Persistence
4 techniquesJFrog identified the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
The primary malware adds a malicious YAML file named "SysDiag" that adds a new workflow whenever a push or pull request is made. The more targeted, secondary payload replaces existing workflows with a "workflow-dispatch" trigger that acts as stealth backdoor.
One payload introduced a new GitHub Actions workflow configured to run on every push and pull request... the malicious workflow leveraged this trigger mechanism to establish dormant backdoors that could later be activated through the GitHub API using stolen GitHub tokens.
Privilege Escalation
2 techniquesJFrog identified the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
One payload introduced a new GitHub Actions workflow configured to run on every push and pull request... the malicious workflow leveraged this trigger mechanism to establish dormant backdoors that could later be activated through the GitHub API using stolen GitHub tokens.
Stealth
3 techniquesa threat actor used dummy accounts and forged author identities... infected commits all feature a hardcoded date of Sept. 17, 2001, and fake bot identities, ci-bot@automated.dev or build-system@noreply.dev.
JFrog identified the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
This makes the backdoor dormant. It creates no visible runs in the Actions tab, no failed builds, no red flags in CI history.
Defense Impairment
1 techniqueCredential Access
8 techniquesmalicious payloads that exfiltrate CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets to a command-and-control (C2) server.
On compromised systems, the malware attempted to exfiltrate a broad range of sensitive data... the stolen information included CI environment variables, AWS credentials, Google Cloud Platform access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configuration files, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, API keys, and numerous other secrets commonly stored in development pipelines.
The incident... involved thousands of malicious commits that injected credential-stealing payloads into repositories... the stolen information included CI environment variables, AWS credentials, Google Cloud Platform access tokens, Azure credentials... GitHub Actions tokens, GitLab CI/CD tokens, API keys...
It also queries AWS, Google Cloud Platform, and Azure metadata for instance role credentials, reads SSH private keys...
It also queries AWS, Google Cloud Platform, and Azure metadata for instance role credentials.
The recent wave of supply chain attacks targeting packages, extensions, and CI pipelines, such as Shai-Hulud, Megalodon and Miasma, should be read less as isolated package integrity failures and more as credential-harvesting campaigns.
in a campaign known as “Megalodon,” a cyber threat actor injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens
The malware, written in Rust, harvests a wide range of developer secrets, including API keys, cloud credentials, SSH keys, and npm publishing tokens, and reuses them to spread further across the software supply chain.
Discovery
1 techniqueThe malware steals AWS configurations, access keys, profiles and regions by running the “aws configure list-profiles” command
Collection
1 techniqueThe attack unfolded on May 18, 2026, when attackers pushed more than 5,700 malicious commits across thousands of repositories within six hours... indicating a highly coordinated and automated attack strategy.
Command and Control
1 techniqueThe malware sends the information via a POST request to the remote server.
Exfiltration
1 techniquemalicious payloads that exfiltrate CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets to a command-and-control (C2) server.
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware payload used to push malicious commits to thousands of GitHub repositories in a software supply chain campaign.
A malware campaign involving mass backdooring of GitHub repositories through malicious CI/CD workflow modifications, replacing GitHub Actions workflows with base64-encoded payloads designed to exfiltrate secrets.
A GitHub-focused supply chain malware campaign that injects malicious GitHub Actions workflows to exfiltrate CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets to a C2 server. It uses a primary payload that adds a malicious YAML workflow named "SysDiag" and a secondary payload that replaces existing workflows with a dormant workflow-dispatch backdoor activatable via the GitHub API.
A GitHub-focused supply-chain malware campaign that pushed malicious code updates to repositories, implanted hidden scripts and backdoors in workflow/system files, and stole credentials, cloud secrets, logs, and code data before sending them to a C2 server.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.