{"id":252564,"date":"2026-05-22T07:55:00","date_gmt":"2026-05-22T11:55:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/megalodon-github-attack-targets-5561-repos-with-malicious-ci-cd-workflows\/"},"modified":"2026-05-22T12:00:23","modified_gmt":"2026-05-22T16:00:23","slug":"megalodon-github-attack-targets-5561-repos-with-malicious-ci-cd-workflows","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/megalodon-github-attack-targets-5561-repos-with-malicious-ci-cd-workflows\/","title":{"rendered":"Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\/CD Workflows"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html\">Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\/CD Workflows<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html\">https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-22 07:55:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.<\/p>\n<p>&#8220;Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443,&#8221; SafeDep said in a report.<\/p>\n<p>The complete list of data harvested by the malware is below &#8211;<\/p>\n<ul>\n<li>CI environment variables, \/proc\/*\/environ, and PID 1 environment<\/li>\n<li>Amazon Web Services (AWS) credentials<\/li>\n<li>Google Cloud access tokens<\/li>\n<li>Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints<\/li>\n<li>SSH private keys<\/li>\n<li>Docker and Kubernetes configurations<\/li>\n<li>Vault tokens<\/li>\n<li>Terraform credentials<\/li>\n<li>Shell history<\/li>\n<li>API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns<\/li>\n<li>GitHub Actions OIDC token request URL and token<\/li>\n<li>GITHUB_TOKEN, GitLab CI\/CD tokens, and Bitbucket tokens<\/li>\n<li>.env files, credentials.json, service-account.json, and other configuration files<\/li>\n<\/ul>\n<p>One of the impacted packages is @tiledesk\/tiledesk-server, which bundles a Base64-encoded bash payload within a GitHub Actions workflow file. In all, 5,718 commits were pushed against 5,561 distinct repositories on May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC.<\/p>\n<p>&#8220;The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance,&#8221; SafeDep said. &#8220;The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys.&#8221;<\/p>\n<p>Two payload&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\/CD Workflows https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html Publish Date: 2026-05-22 07:55:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":252565,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjC_sjVeLejyyBZJ0DWW2y9-Z2Jvmrzz9h-5XEIKPFTcJvDj49Jlt-z1FNbSp51K9XcQ8FqC9MBDFPPPdZuzRfjqtYvKNaqT0Qzd61oCHVhNq59IcAVcWV3LvDmKCsX5pHn4nU3LclQPEozMp3XsgYZnVHCZEj89AGkWJpqL1EjCjiqMLnvggZLsgb08MYp\/s1600\/github-worm.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-252564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252564"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=252564"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252564\/revisions"}],"predecessor-version":[{"id":252566,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252564\/revisions\/252566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/252565"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=252564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=252564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=252564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}