VYPR
← All malware advisories

npm · Malicious package advisory

Malware

@tiledesk/tiledesk-server

MAL-2026-4228

Malicious code in @tiledesk/tiledesk-server (npm)

Details

`@tiledesk/tiledesk-server` version 2.18.12 is a compromised release of the legitimate Tiledesk customer support platform package. This version was injected with a CI pipeline backdoor as part of the **megalodon** campaign — a mass GitHub repository backdooring operation targeting CI/CD runner environments.

**Attack vector:** The malicious payload is embedded in `.github/workflows/docker-community-worker-push-latest.yml` within the npm tarball, in a step named "Optimize-Build". The step decodes and executes a base64-encoded shell script (`set +e; echo "<base64>" | base64 -d | bash`).

**What it does:** The decoded script is a multi-stage CI credential harvester:
- Dumps all environment variables via `printenv` and scrapes `/proc/self/environ` and `/proc/[0-9]*/environ`, capturing secrets from every process on the runner
- Exfiltrates credential files: `~/.aws/credentials`, `~/.ssh/`, `~/.docker/config.json`, `~/.npmrc`, `~/.kube/config`, `~/.vault-token`, `.git-credentials`, GCP Application Default Credentials, and Terraform credentials
- Enumerates AWS profiles to extract access keys, secret keys, and session tokens; runs `gcloud auth print-access-token` for GCP
- Queries cloud IMDS endpoints (`169.254.169.254`, `metadata.google.internal`) for instance credentials
- Steals `ACTIONS_ID_TOKEN_REQUEST_TOKEN` to mint arbitrary OIDC tokens for cloud impersonation
- Scans `/var/www`, `/opt`, `/srv` for certificate files (`.pem`, `.key`, `.p12`, `.pfx`) and runs regex-based secret scanning for 30+ patterns including AWS AKIA keys, GitHub PATs, npm tokens, PyPI tokens, private keys, and database connection strings

**C2 infrastructure:** All stolen data is exfiltrated via HTTP POST to `http://216.126.225.129:8443` with query parameters `?h=megalodon&l=gh_dump&id=hefs8esnhgkx`.

**Trigger:** Execution occurs during GitHub Actions Docker build workflows. Any CI pipeline that included this package version in a Docker build would have had its entire runner secrets environment exfiltrated at build time.

Compromised versions (1)

  • 2.18.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.