A massive supply chain attack infected over 5,500 GitHub repositories to steal user secrets, including CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets, and upload them to a threat actor-controlled command-and-control (C2) server.
According to cybersecurity firm SafeDep, which detected the supply chain attack, the campaign occurred on May 18 and lasted only six hours.
SafeDep discovered the malicious actions in the legitimate Tiledesk npm package (@tiledesk/tiledesk-server@2.18.12), which had nine infected packages inadvertently pushed to downstream users.
Megalodon supply chain attack infects 5,561 GitHub repositories
Dubbed Megalodon, the supply chain attack leveraged throwaway accounts and forged author identities, such as build-bot, auto-ci, ci-bot, pipeline-bot, to push 5,718 malicious commits to 5,561 GitHub repositories and inject GitHub Actions workflows.
“All 5,718 commits landed on the same day: May 18, 2026, across a six-hour window from approximately 11:36 to 17:48 UTC, targeting 5,561 distinct repositories,” SafeDep stated.
The attackers deployed two base64-encoded bash payloads, SysDiag and Optimize-Build. SysDiag created a new workflow that was triggered on every push and pull request, increasing automation.
In contrast, Optimize-Build replaced existing workflows with a “workflow_dispatch” trigger that the threat actor could activate on demand via GitHub API, essentially creating a stealth backdoor to evade detection.
Additionally, the workflow_dispatch trigger does not generate visible CI runs in the Actions tab, failed builds, or red flags in CI history until it is activated, enabling the threat actor to remain undetected for a long time.
Both payloads targeted CI secrets, including GCP and AWS cloud credentials, SSH keys, Kubernetes configurations, GitHub OIDC tokens, source code secrets, and shell history.
“The Megalodon campaign demonstrates that software supply chain attacks are evolving from hand-crafted package manipulation into industrial-scale, automated pipeline poisoning,” said Damon Small, Board of Directors, Xcape. “By executing thousands of automated commits within a single afternoon, the threat actors exploited widespread architectural flaws in modern development pipelines, specifically the lack of strict branch protection rules and unhardened GitHub Actions environments.”
Meanwhile, it remains unclear how the attackers gained access to the CI pipelines and infected the GitHub repositories. However, the attackers likely used compromised secrets obtained via a previous supply chain attack. Similarly, the threat actor behind the supply chain attack remains unknown.
Nevertheless, security experts have suggested that TeamPCP, a financially motivated threat actor, was behind the supply chain attack. The group targets open-source ecosystems and previously claimed responsibility for breaching about 4,000 private GitHub repositories. It later offered the stolen data for sale on a popular underground cybercrime marketplace. GitHub confirmed that 3,800 GitHub repositories were compromised after an employee used an infected Visual Studio Code extension.
“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far,” GitHub stated.
However, an infected VS Code extension could compromise any organization besides GitHub, as it runs with the same privileges as the integrated development environment (IDE).
Additionally, TeamPCP had previously used a fake bot identity, ci-bot@automated[.]dev, to push malicious commits to GitHub repositories, with hard-coded dates ranging from September 2001 to January 2099, according to OX Security. CI-bot was among the identities used to push the malicious commits in the recent supply chain attack. The group has also used the credential-stealing, self-replicating worm, Shai-Hulud, to leak stolen source code.
“Megalodon is a persistence operation,” said Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs. “The dormant backdoors injected into thousands of repositories produce no visible CI activity until the attacker triggers them remotely through the GitHub API. Credential rotation alone does not resolve the compromise when the harvesting mechanism is still embedded in the workflow. Every rotation hands the attacker a fresh set.”
Supply chain attacks continue to target open source ecosystems
NPM and other open-source code ecosystems remain a high-priority target for supply chain attacks targeting downstream customers.
“This follows a pattern we have tracked since March 2026,” added Krell. “Credentials stolen in one attack fuel the next. TeamPCP compromised a vulnerability scanner to reach LiteLLM on PyPI, and the campaign has since expanded to TanStack and GitHub itself. Megalodon extends that playbook to thousands of repositories simultaneously, converting build pipelines into credential harvesting infrastructure.”
