Megalodon Chums the Waters in 5.5K+ GitHub Repo Poisonings
A six-hour automated campaign dubbed Megalodon pushed malicious commits to over 5,500 GitHub repositories, hiding CI/CD credential-stealing code in the Tiledesk npm package.
A malicious automated campaign dubbed Megalodon has poisoned more than 5,500 GitHub repositories in a six-hour deluge of CI/CD credential-stealing malware, according to researchers from SafeDep and Ox Security. The attacker hid the payload inside the open-source Tiledesk npm package, compromising versions 2.18.6 through 2.18.12, and tricked the legitimate maintainer into publishing the poisoned code by compromising the project's GitHub repository directly rather than the npm account itself.
The Megalodon malware — similar in ambition to the earlier TeamPCP attacks — targets a broad set of cloud and development credentials. It steals AWS secret keys, Google Cloud access tokens, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and GitHub tokens. It also queries cloud metadata endpoints on AWS, Google Cloud Platform, and Azure to harvest instance role credentials, then exfiltrates everything to an attacker-controlled server, allowing the adversary to impersonate the developer's full cloud identity.
The poison was introduced via a malicious commit authored by an entity named "build-bot" using the email address build-system@noreply.dev, mimicking an automated CI commit. Researchers found no linked GitHub account. The same email and a variant (ci-bot@automated.dev) were responsible for 5,719 total commits made on May 18 within a six-hour window (11:36 to 17:48 UTC), targeting 5,561 repositories. Nine of the compromised repos belong to the Tiledesk project itself, including tiledesk-server, tiledesk-dashboard, and tiledesk-llm.
The attack exploits a dangerous supply chain vector: compromising the GitHub source rather than the package registry. "The attacker never touched the npm account," SafeDep researchers emphasized. "They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it." This technique makes detection harder because the maintainer's own signing keys and tokens remain valid during publication.
Ox Security lead researcher Moshe Siman Tov Bustan noted that while Megalodon resembles the TeamPCP attack pattern, threat intelligence and code analysis do not connect them. "Our best guess now is that it's a different threat actor copying their behavior and style, but not much of the code itself," he said. He also ruled out the possibility that Megalodon is an entry in TeamPCP's announced supply-chain attack competition due to specific contest requirements for public encryption keys that the Megalodon actor did not meet.
"We've entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning," Bustan said. He warned that hacking GitHub "compromises the security of every company with a private repository hosted on the platform." The campaign underscores the growing risk of automated, credential-harvesting attacks that turn CI/CD pipelines into vectors for lateral movement into cloud infrastructure.
SafeDep has published a full list of the 5,561 compromised repositories and is urging all affected maintainers to audit their CI/CD secrets, rotate tokens, and verify commit histories. The incident also adds pressure on platforms like npm and GitHub to implement stronger preventative controls against poisoned commits making it from source to registry without detection.