Megalodon: How Hackers Backdoored 5,500 GitHub Repos in 6 Hours — The Worst CI/CD Attack Ever
Table of Contents
Table of Contents
The Largest GitHub Actions Poisoning Ever
On May 18, 2026, security researchers detected an automated attack campaign of unprecedented scale: over 5,718 malicious commits were pushed to 5,561 GitHub repositories within a six-hour window. The campaign, codenamed “Megalodon,” replaced GitHub Actions workflows with base64-encoded payloads designed to exfiltrate every secret imaginable — AWS keys, cloud credentials, SSH keys, OIDC tokens, and source code secrets.
This isn’t a theoretical supply chain risk. This is the largest GitHub Actions poisoning campaign ever recorded, and if your organization uses any of the affected repositories, your credentials may already be in the hands of threat actor TeamPCP.
How Megalodon Worked
The attackers used throwaway GitHub accounts with names designed to appear legitimate: build-bot, auto-ci, ci-bot, and pipeline-bot. These accounts pushed commits that replaced existing CI/CD workflow files with malicious versions containing base64-encoded bash payloads.
The forged commits used fabricated author identities to blend into repository commit histories. Unless a maintainer carefully reviewed each commit’s actual content — not just the commit message — the poisoned workflows appeared completely normal.
The exfiltration endpoint was a command-and-control server at 216.126.225.129:8443, receiving encrypted payloads of stolen credentials over HTTPS. The entire attack was automated — from account creation to commit pushing to payload execution — running at machine speed across thousands of repositories simultaneously.
Two Payload Variants: Mass and Targeted
Researchers at SafeDep and OX Security identified two distinct payload variants, suggesting different operational objectives:
Mass Variant (SysDiag): This adds a brand-new workflow file triggered on every push and pull request. Every time any developer pushes code or opens a PR, the malicious workflow fires, maximizing the chances of automated execution. It’s designed for breadth — harvest as many secrets as possible from as many developers as possible.
Targeted Variant (Optimize-Build): This is more sophisticated. It replaces existing workflow files with versions that use workflow_dispatch triggers — meaning they sit dormant until the attacker manually fires them via the GitHub API. These are persistent backdoors the attacker can activate on demand, weeks or months after initial compromise.
The targeted variant was deployed to high-value repositories where persistent access is more valuable than immediate credential theft. This dual-approach strategy shows operational maturity beyond typical opportunistic attacks.
What Megalodon Steals
The payloads are comprehensive credential harvesting tools. They target:
AWS secret access keys and session tokens. Google Cloud Platform service account credentials and access tokens. Azure credentials from metadata endpoints and configuration files. SSH private keys from standard locations. Docker configurations and Kubernetes secrets. HashiCorp Vault tokens and Terraform credentials. GitHub Actions secrets (the GITHUB_TOKEN and any custom secrets). NPM tokens for package publishing.
The malware also queries cloud provider metadata services (169.254.169.254 for AWS/GCP, 169.254.169.254 for Azure) to steal instance role credentials, and scans source code using more than 30 regex patterns to find hardcoded secrets.
If a CI/CD workflow triggered by Megalodon ran in your environment, assume every credential accessible to that runner is compromised.
The Organizations That Got Hit
The campaign hit organizations of all sizes. Tiledesk was struck across nine repositories including their core server and dashboard applications. Black-Iron-Project saw eight repositories compromised. WISE-Community and hundreds of smaller open-source projects were also affected.
The attack’s indiscriminate nature means any repository with relatively permissive contribution settings could have been targeted. The 5,561 confirmed compromised repositories likely represent just the first wave — dormant Optimize-Build payloads may exist in repositories that haven’t been audited yet.
What makes this particularly dangerous is the downstream effect. Developers who fork or pull from compromised repositories inherit the malicious workflows. If they run CI/CD on the forked code without reviewing workflow changes, the exfiltration runs in their environment too. The blast radius extends far beyond the initial 5,561 repositories.
Attribution: TeamPCP Strikes Again
The Megalodon campaign has been attributed to TeamPCP, the same threat group responsible for the Nx Console VS Code extension compromise that breached approximately 3,800 GitHub internal repositories earlier the same week.
TeamPCP appears to be a supply chain attack specialist group that has dramatically escalated its operations in May 2026. The Nx Console attack on May 18 gave them access to GitHub’s internal infrastructure. The Megalodon campaign, launching the same day, represents a parallel assault targeting the broader open-source ecosystem.
The group is known to advertise stolen data and access on cybercrime forums, suggesting financial motivation rather than nation-state espionage. However, the sophistication and scale of operations suggest significant resources and infrastructure behind the group.
How the Attack Evaded Detection
Several factors allowed Megalodon to operate at scale before detection:
First, GitHub’s notification system for workflow changes relies on repository maintainers actively monitoring their repos. For smaller or less actively maintained projects, malicious commits can sit for hours or days before being noticed.
Second, the base64 encoding of payloads means simple text scanning wouldn’t catch the malicious content — you’d need to decode and analyze the actual commands being executed.
Third, the use of legitimate-sounding bot names (build-bot, ci-bot) meant that casual observers would assume automated tooling was responsible for the commits. Many projects use CI bots for automated tasks, making these names blend in.
Fourth, the attack launched during a weekend period when many maintainers have reduced monitoring. Six hours was enough to compromise thousands of repositories before the first security alerts were raised.
The CI/CD Security Crisis
Megalodon isn’t an isolated incident — it’s the culmination of a growing CI/CD security crisis. GitHub Actions workflows run with broad permissions by default. They have access to repository secrets, cloud credentials, and authentication tokens. Yet most organizations don’t apply the same security scrutiny to workflow file changes as they do to source code changes.
The fundamental problem: CI/CD configurations are treated as infrastructure rather than attack surface. They’re stored alongside code but reviewed less carefully. They have elevated privileges but minimal access controls. And they execute automatically, turning any compromise into immediate credential exposure.
Security tools like StepSecurity’s Harden-Runner and OX Security’s pipeline monitoring exist, but adoption remains low, especially in open-source projects with limited security resources.
How to Check If You’re Affected
If your organization uses any GitHub repositories as dependencies, you should immediately audit for Megalodon compromise. Here’s what to look for:
Check your repository’s .github/workflows/ directory for any recently added or modified files. Look for base64-encoded content in workflow steps — legitimate workflows rarely use heavy base64 encoding. Search commit history for commits from authors named build-bot, auto-ci, ci-bot, or pipeline-bot. Check whether any workflow_dispatch workflows were added that you didn’t create. Review CI/CD run logs for outbound connections to 216.126.225.129.
If you find evidence of compromise, immediately rotate all credentials accessible to your CI/CD environment: AWS keys, GCP service accounts, GitHub tokens, NPM tokens, SSH keys, and any secrets stored in your repository settings. Consider all code committed after the compromise date as potentially tainted.
Conclusion
Megalodon represents a new paradigm in supply chain attacks: automated, massive-scale CI/CD poisoning that turns GitHub’s own infrastructure against its users. The 5,561 compromised repositories are a warning shot — the era of trusting CI/CD configurations by default is over.
For developers and security teams, the message is clear: treat your CI/CD workflows with the same suspicion you’d treat any executable code. Because that’s exactly what they are — and attackers know it.
