On May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC, an automated campaign researchers have named Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a single six-hour window. The commits injected GitHub Actions workflow files containing encoded payloads designed to silently exfiltrate developer credentials the moment any project’s CI pipeline ran.

This was not a sophisticated APT campaign requiring novel zero-days or months of reconnaissance. It was a volume play — an automated script, throwaway accounts, and a poisoned workflow template deployed at scale against open-source projects. The sophistication was in the camouflage.

How It Worked

The Megalodon attacker created throwaway GitHub accounts with randomly generated eight-character usernames — strings like rkb8el9r, bhlru9nr, lo6wt4t6. These accounts had no history, no followers, no activity before the attack window began.

From those accounts, the attacker pushed commits to repositories using compromised personal access tokens (PATs) or deploy keys — credentials that had been obtained through prior compromise or purchased from credential markets. The commits used forged author identities: four bot-like names (build-bot, auto-ci, ci-bot, pipeline-bot) paired with seven commit messages that mimicked routine CI maintenance activity. To a developer scanning a commit log, nothing would look out of place.

The injected payload was a GitHub Actions workflow containing a base64-encoded bash script. When the workflow triggered — on push, on pull request, or manually via workflow_dispatch — the script would execute and exfiltrate:

  • CI/CD secrets and environment variables
  • Cloud provider credentials (AWS, GCP, Azure)
  • SSH keys
  • OIDC tokens
  • Source code and build artifacts

Everything was sent to a command-and-control server at 216.126.225.129:8443.

Two Payload Variants

Researchers identified two distinct payload variants, suggesting deliberate targeting decisions.

SysDiag was the mass variant — a workflow that triggers on every push and pull request. This was deployed against the majority of targets and maximized the surface area for credential theft. Any developer who opened a PR against a poisoned repository would trigger the exfiltration.

Optimize-Build was the targeted variant. It activated only on workflow_dispatch — GitHub Actions’ manual trigger mechanism. This narrower trigger profile suggests the attacker had specific repositories in mind for this version, and wanted credentials captured only when a trusted maintainer explicitly ran the workflow rather than on automated CI activity.

Who Got Hit

Tiledesk was the single most affected organization, with nine repositories poisoned: tiledesk-server, tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dahboard, tiledesk-helpcenter-template, and tiledesk-ai. The breadth of the Tiledesk targeting — spanning the full stack from server infrastructure to AI integrations — indicates either automated broad targeting by organization name or a deliberate focus on maximizing credential yield from a single vendor.

Beyond Tiledesk, the 5,561 repositories represent a cross-section of the open-source ecosystem. Security researchers from StepSecurity and OX Security flagged the campaign within hours of it beginning, which limited downstream impact for repositories where maintainers acted quickly to revert the commits and rotate credentials.

The CI/CD Attack Surface

Megalodon is the latest demonstration of how vulnerable CI/CD pipelines have become as an attack vector. The TeamPCP GitHub supply chain campaign from earlier this month targeted VS Code extensions through a similar workflow compromise mechanism. The difference is scale: TeamPCP operated as a targeted campaign, while Megalodon was explicitly automated for mass deployment.

GitHub Actions workflows run in highly privileged contexts by design — they need access to cloud credentials, signing keys, and deployment targets to do their jobs. That privilege is also exactly what makes them valuable to attackers. A poisoned workflow that runs during a normal CI cycle can exfiltrate the same credentials a malicious insider would need, with no additional access required.

The open-source ecosystem’s reliance on PATs and deploy keys as authentication mechanisms compounds the risk. A single compromised developer credential can give an attacker push access to every repository that credential covers. The Megalodon attacker appears to have had a supply of such credentials and deployed them systematically.

Detection and Response

For repositories affected by Megalodon, the remediation path is clear but not trivial. Maintainers need to:

  1. Revert any commits pushed by unrecognized bot-named accounts during May 18
  2. Rotate all secrets that were in scope during any workflow run after the malicious commits landed
  3. Review GitHub Actions permissions and restrict which events can trigger workflows on PRs from forks
  4. Audit PATs and deploy keys for unauthorized access

The harder problem is credentials that were already exfiltrated before maintainers identified the campaign. Cloud keys, OIDC tokens, and SSH material captured during a CI run on May 18 have been in attacker hands since that afternoon. Rotation is necessary but doesn’t retroactively protect anything the attacker may have already used.

Sources