May 22
/
Latest News
Megalodon Attack Floods GitHub With Thousands of Malicious Code Commits in Six Hours
A sweeping automated cyberattack struck GitHub on May 18, 2026, compromising 5,561 repositories in what researchers are calling one of the most aggressive supply‑chain intrusion attempts of the year.
The campaign, dubbed Megalodon by cybersecurity firm SafeDep, pushed 5,718 malicious commits in just six hours, using fake GitHub accounts and disguised system identities to blend in with legitimate development activity. SafeDep uncovered the operation through its Malysis scanning engine, which detected hidden scripts embedded inside files that otherwise appeared clean.
The attackers relied on randomly generated eight‑character GitHub accounts and impersonated trusted automation tools by spoofing identities such as build‑bot, auto‑ci, ci‑bot, and pipeline‑bot. The timing of the attack raised further alarm, arriving shortly after TeamPCP claimed to have breached a GitHub employee’s device and accessed thousands of repositories through a trojanized VS Code extension—an indication that software developers remain a prime target for coordinated supply‑chain attacks.
SafeDep’s analysis revealed two distinct techniques used to plant backdoors. The first, known as SysDiag, added a new workflow file (.github/workflows/ci.yml) designed to trigger a data‑stealing script whenever developers updated their projects. The second, Optimize‑Build, was more covert, replacing existing system files and using the workflow_dispatch command to keep the malicious code dormant. This allowed the attackers to avoid triggering build failures or alerts, while retaining the ability to activate the backdoor at any time through the GitHub API.
One of the most significant victims was Tiledesk, a widely used live chat and chatbot platform. Attackers infiltrated nine of its GitHub repositories, and because the compromise went unnoticed, the project’s maintainer unintentionally published seven infected versions of the @tiledesk/tiledesk-server package (versions 2.18.6 through 2.18.12) to the public npm registry between May 19 and May 21.
Once executed, the hidden payload launched a terminal process that decoded and ran a 111‑line script designed to harvest sensitive data. It searched for cloud credentials from Amazon Web Services, Google Cloud, and Microsoft Azure, as well as logs, configuration files, and source code containing more than 30 categories of secrets, including database credentials and private API keys.
The stolen data was funneled to a command‑and‑control server at 216.126.225.129:8443. SafeDep warned that the most dangerous outcome of the attack is the theft of GitHub Actions verification tokens, which could allow hackers to impersonate legitimate automated workflows and gain unauthorized access to connected cloud environments.
The company urged developers who received unexpected commit notifications from addresses such as build-system@noreply.dev or ci-bot@automated.dev on May 18 to immediately revert the changes and rotate all cloud credentials.
The campaign, dubbed Megalodon by cybersecurity firm SafeDep, pushed 5,718 malicious commits in just six hours, using fake GitHub accounts and disguised system identities to blend in with legitimate development activity. SafeDep uncovered the operation through its Malysis scanning engine, which detected hidden scripts embedded inside files that otherwise appeared clean.
The attackers relied on randomly generated eight‑character GitHub accounts and impersonated trusted automation tools by spoofing identities such as build‑bot, auto‑ci, ci‑bot, and pipeline‑bot. The timing of the attack raised further alarm, arriving shortly after TeamPCP claimed to have breached a GitHub employee’s device and accessed thousands of repositories through a trojanized VS Code extension—an indication that software developers remain a prime target for coordinated supply‑chain attacks.
SafeDep’s analysis revealed two distinct techniques used to plant backdoors. The first, known as SysDiag, added a new workflow file (.github/workflows/ci.yml) designed to trigger a data‑stealing script whenever developers updated their projects. The second, Optimize‑Build, was more covert, replacing existing system files and using the workflow_dispatch command to keep the malicious code dormant. This allowed the attackers to avoid triggering build failures or alerts, while retaining the ability to activate the backdoor at any time through the GitHub API.
One of the most significant victims was Tiledesk, a widely used live chat and chatbot platform. Attackers infiltrated nine of its GitHub repositories, and because the compromise went unnoticed, the project’s maintainer unintentionally published seven infected versions of the @tiledesk/tiledesk-server package (versions 2.18.6 through 2.18.12) to the public npm registry between May 19 and May 21.
Once executed, the hidden payload launched a terminal process that decoded and ran a 111‑line script designed to harvest sensitive data. It searched for cloud credentials from Amazon Web Services, Google Cloud, and Microsoft Azure, as well as logs, configuration files, and source code containing more than 30 categories of secrets, including database credentials and private API keys.
The stolen data was funneled to a command‑and‑control server at 216.126.225.129:8443. SafeDep warned that the most dangerous outcome of the attack is the theft of GitHub Actions verification tokens, which could allow hackers to impersonate legitimate automated workflows and gain unauthorized access to connected cloud environments.
The company urged developers who received unexpected commit notifications from addresses such as build-system@noreply.dev or ci-bot@automated.dev on May 18 to immediately revert the changes and rotate all cloud credentials.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.