Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Staff Editor 2026-05-22
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html

Publish Date: 2026-05-22 07:55:00

Source Domain: thehackernews.com

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.

“Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443,” SafeDep said in a report.

The complete list of data harvested by the malware is below –

  • CI environment variables, /proc/*/environ, and PID 1 environment
  • Amazon Web Services (AWS) credentials
  • Google Cloud access tokens
  • Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints
  • SSH private keys
  • Docker and Kubernetes configurations
  • Vault tokens
  • Terraform credentials
  • Shell history
  • API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns
  • GitHub Actions OIDC token request URL and token
  • GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
  • .env files, credentials.json, service-account.json, and other configuration files

One of the impacted packages is @tiledesk/tiledesk-server, which bundles a Base64-encoded bash payload within a GitHub Actions workflow file. In all, 5,718 commits were pushed against 5,561 distinct repositories on May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC.

“The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance,” SafeDep said. “The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys.”

Two payload…

Source

More Stories

IBM Announces New AI-Powered Cybersecurity Tools — Campus Technology

IBM Announces New AI-Powered Cybersecurity Tools — Campus Technology

Staff Editor 2026-05-22
Governments increasingly assume they’ll use offensive cyber tools as part of state power

Governments increasingly assume they’ll use offensive cyber tools as part of state power

Staff Editor 2026-05-22
Lawmakers Demand Answers as CISA Tries to Contain Data Leak – Krebs on Security

Lawmakers Demand Answers as CISA Tries to Contain Data Leak – Krebs on Security

Staff Editor 2026-05-22

Terms and Conditions - Privacy Policy