Megalodon Campaign Poisons 5,561 GitHub Repositories via CI/CD Workflow Backdoors — Credentials, Cloud Keys, and OIDC Tokens Exfiltrated

On May 18, 2026, a large-scale automated supply chain campaign dubbed 'Megalodon' pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts with forged bot-style author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attackers injected malicious GitHub Actions workflow files carrying base64-encoded bash payloads that, on the next CI pipeline run, exfiltrate CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker/Kubernetes configs, npm tokens, and GitHub Actions OIDC tokens to a C2 server. The campaign also compromised the Tiledesk npm package (@tiledesk/tiledesk-server versions 2.18.6–2.18.12), propagating the backdoor downstream through the npm registry. The attack technique maps to MITRE ATT&CK T1195.002 (Supply Chain Compromise).

Direct Poisoned Pipeline Execution (d-PPE): attacker with write access (or accepted PR with weak branch protection) pushes malicious workflow YAML directly to the default branch. Workflow triggers on push or pull_request_target events, exfiltrating all secrets on next CI run. A second variant uses workflow_dispatch for dormant backdoor activation via GitHub API. The OIDC token theft vector is particularly severe: correctly scoped repos allow the malicious workflow to mint short-lived cloud identity tokens, granting cloud access without static credentials.

5,561+ GitHub repositories lacking mandatory PR review on default branch; Tiledesk npm package versions 2.18.6–2.18.12; any organisation whose CI/CD runners access cloud credentials or OIDC federation. AI development pipelines using GitHub Actions for model training, dataset processing, or agent deployment are directly in scope.

1) Search your repos for commits from build-system@noreply.dev or ci-bot@automated.dev on May 18, 2026; 2) Audit .github/workflows/ for workflow names 'SysDiag' or 'Optimize-Build'; 3) Block the C2 at 216.126.225.129:8443; 4) Rotate all secrets, cloud keys, SSH keys, and OIDC trust policies for affected repos; 5) Uninstall @tiledesk/tiledesk-server versions 2.18.6–2.18.12; 6) Enforce mandatory PR reviews on all default branches; 7) Restrict OIDC trust policies to specific branches and environments. SafeDep has published the full list of 5,718 malicious commit hashes.