Megalodon Campaign Pushes 5,718 Malicious Commits to 5,561 GitHub Repos in Six-Hour Automated Supply Chain Attack
The automated 'Megalodon' campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, injecting CI/CD workflows that exfiltrate cloud credentials and secrets to an attacker-controlled server.
Cybersecurity researchers have disclosed a massive automated campaign dubbed Megalodon that delivered 5,718 malicious commits to 5,561 distinct GitHub repositories within a six-hour window on May 18, 2026. The attack, detailed by SafeDep, used throwaway GitHub accounts and forged author identities to inject GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a command-and-control (C2) server at 216.126.225[.]129:8443.
The attackers rotated through four forged author names — build-bot, auto-ci, ci-bot, and pipeline-bot — and used seven different commit messages that mimicked routine CI maintenance. They created throwaway GitHub accounts with random eight-character usernames such as rkb8el9r and bhlru9nr, then configured git to forge the author identity before pushing via compromised personal access tokens (PATs) or deploy keys. The campaign targeted a wide range of high-value credentials, including AWS and Google Cloud access tokens, Azure IMDS instance metadata, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, shell history, API keys, database connection strings, JWTs, PEM private keys, and GitHub Actions OIDC tokens.
Two payload variants were deployed in the campaign. The first, dubbed SysDiag, is a mass variant that adds a new workflow triggered on every push and pull request, maximizing reach across all compromised repositories. The second, Optimize-Build, is a targeted variant that activates only on workflow_dispatch, a GitHub Actions trigger requiring manual execution. SafeDep reported that in the case of the @tiledesk/tiledesk-server package, the targeted approach was used to compromise CI/CD runners rather than when the npm package is installed directly. The tradeoff is deliberate: the mass variant guarantees execution on every commit, while the targeted variant sacrifices reach for operational security.
Once a repository owner merges a malicious commit, the embedded workflow executes inside their CI/CD pipelines, enabling the malware to harvest credentials at scale and potentially spread further to downstream projects. The attack has been linked to the broader TeamPCP threat actor cluster, which has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools across multiple ecosystems. TeamPCP's victims have included TanStack, Grafana Labs, OpenAI, Mistral AI, and now Microsoft-owned GitHub. The group appears financially motivated, with partnerships on BreachForums and with extortion crews like LAPSUS$ and VECT, and has also deployed wiper malware upon detecting machines located in Iran and Israel.
The Megalodon disclosure comes amid ongoing fallout from TeamPCP's attack spree and the Mini Shai-Hulud worm, which prompted npm to invalidate all granular access tokens with write access that bypass two-factor authentication (2FA). npm is urging users to switch to Trusted Publishing to reduce reliance on such tokens. Application security firm Socket noted that while the token reset buys breathing room, it does not close the underlying vulnerability: the worm continues harvesting new tokens as maintainers issue replacements.
Separately but concurrently, researchers identified a throwaway npm account named polymarketdev that published nine malicious npm packages impersonating Polymarket trading CLI tools within a 30-second window. The packages — including polymarket-trading-cli, polymarket-terminal, and polymarket-bot — use a postinstall script to display a fake wallet onboarding prompt that asks users to paste their Ethereum/Polygon private keys, which are then POSTed in plaintext to a Cloudflare Worker endpoint. The packages remain available for download as of this writing.
The scale and speed of the Megalodon campaign — 5,718 malicious commits in under six hours — marks a significant escalation in automated software supply chain attacks. OX Security's Moshe Siman Tov Bustan warned that the industry has entered a new era, with TeamPCP's compromise of GitHub being only the beginning of an ongoing wave of attacks targeting developers worldwide. The incident underscores the critical need for organizations to audit CI/CD pipeline permissions, rotate compromised tokens, and implement trusted publishing mechanisms to limit the blast radius of automated supply chain compromises.