Supply-Chain Attack: Massive Megalodon Campaign Hits 5,500+ GitHub Repositories

The Megalodon Supply-Chain Attack: How 5,500+ GitHub Repositories Were Poisoned in Six Hours

The global software development ecosystem is grappling with one of the most aggressive and highly automated security events in recent memory. On May 26, 2026, cybersecurity firms SafeDep and ReversingLabs published comprehensive forensic reports detailing “Megalodon,” a massive, lightning-fast supply-chain attack that compromised 5,561 public and open-source GitHub repositories. Over a tiny six-hour window on May 18, 2026, threat actors pushed 5,718 malicious commits to targeted projects, bypassing manual code review pipelines and turning trusted software workflows into credential-harvesting engines.

Attributed to the prolific cybercrime syndicate TeamPCP, this zero-CVE campaign represents a fundamental shift in software delivery hazards. Rather than targeting the application code directly, the campaign targeted continuous integration and continuous deployment (CI/CD) pipelines. The rapid speed and evasion capabilities of the Megalodon campaign underscore a chilling reality: traditional security scanners anchored strictly to known vulnerabilities (CVEs) are functionally blind to pipeline-level pipeline-poisoning campaigns.

The Dark Catalyst: TeamPCP and the Shai-Hulud Framework

To understand the unprecedented scale of the Megalodon campaign, one must trace its roots back to the evolving tactics of TeamPCP. Emerging as a highly active, financially motivated threat actor group, TeamPCP made a name for itself by exploiting misconfigured Docker APIs and Next.js installations. However, in early 2026, the group pivoted heavily toward software supply chain compromises.

Between late April and early May 2026, TeamPCP executed “Wave 1” of their campaign using a self-propagating worm known as “Shai-Hulud” (or “Mini Shai-Hulud”). The worm compromised hundreds of packages on public registries like npm and PyPI, even managing to hijack legitimate build pipelines to generate cryptographically valid SLSA Build Level 3 provenance attestations.

In an audacious move on May 12, 2026—just six days before the Megalodon campaign was launched—TeamPCP publicly released the source code of the Shai-Hulud framework. This effectively democratized their production-grade offensive framework, putting advanced credential-harvesting and supply-chain poisoning capabilities into the hands of the wider cybercrime community. The Megalodon campaign erupted less than a week later, utilizing the identical structural blueprint and metadata evasion tricks of Shai-Hulud to execute a synchronized assault on GitHub’s pipeline infrastructure.

Anatomy of a Ghost: Identity Forgery and Metadata Manipulation

To pull off 5,718 malicious commits across thousands of repositories in under six hours without triggering immediate developer alarms, the orchestrators of Megalodon relied on sophisticated identity spoofing and automated repository access. The attackers exploited weak branch protection rules and relied on compromised Personal Access Tokens (PATs) and deploy keys, many of which had been harvested during previous workstation compromises.

The attack sequence bypassed human review through three highly structured automation techniques:

• Disposable Accounts: The attackers registered disposable GitHub accounts utilizing random, eight-character alphanumeric usernames (e.g., rkb8el9r, bhlru9nr, and lo6wt4t6) to serve as the launchpad for the commits.
• Git Config Spoofing: The attackers programmatically modified local Git configurations (specifically user.name and user.email) to forge the identity of legitimate automated build integration bots. They rotated through four author aliases—build-bot, auto-ci, ci-bot, and pipeline-bot—and leveraged deceptive email domains such as ci-bot@automated.dev and build-system@noreply.dev.
• Timestamp Poisoning: To blend into the background and evade security scanners that look for sudden bursts of new commits, the attackers hardcoded historical timestamps into the Git metadata. Many of the malicious commits carried a forged commit date of September 17, 2001. By backdating the commits by a quarter of a century, they successfully pushed them deep into repository histories, ensuring they remained invisible on typical “recent activity” feeds.

The Two-Pronged Execution: SysDiag vs. Optimize-Build

The true genius of the Megalodon campaign lies in its execution mechanics. Rather than modifying any application source code—which would likely trigger static application security testing (SAST) failures or developer reviews—the campaign targeted GitHub Actions workflow files exclusively. SafeDep’s analysis revealed that the campaign deployed two distinct workflow manipulation techniques, codenamed SysDiag and Optimize-Build.

The first variant, SysDiag, was designed to maximize rapid execution. The automated commits injected an entirely new workflow file located at .github/workflows/ci.yml. This workflow was configured with standard, aggressive triggers: on: [push, pull_request]. Consequently, the second any developer pushed a routine update or an external contributor opened a pull request, the infected GitHub runner spun up and executed the malicious harvesting script in the background.

The second, stealthier variant was dubbed Optimize-Build. Instead of adding a new file, this payload overrode existing, legitimate workflow configuration files (such as Docker compilation or deployment workflows). The triggers in these poisoned files were replaced with a single directive: on: workflow_dispatch. By restricting execution strictly to manual dispatch, the attackers ensured the compromised workflows remained completely dormant during day-to-day operations. The backdoor generated no build failures, no automated linter warnings, and no build alerts. At any point in the future, the attackers could awaken the backdoor by sending a manual trigger request via the GitHub REST API to the repository.

Payload Mechanics and Massive Credential Exfiltration

Regardless of whether SysDiag or Optimize-Build was utilized, the payload inside the workflow files was highly consistent: a heavily obfuscated, Base64-encoded Bash script embedded inside a run directive. When decoded, the script executed silently within GitHub’s cloud-hosted runners. It was specifically engineered to harvest and exfiltrate every sensitive credential exposed in the build environment.

According to SafeDep, the malware successfully extracted a wide range of sensitive data:

1. Environment Variables: The script read /proc/*/environ, PID 1 environments, and local shell history files to capture hardcoded secrets.
2. Cloud Infrastructure Credentials: The malware queried local metadata service endpoints to extract AWS credentials, Google Cloud (GCP) OAuth access tokens, and Microsoft Azure Instance Metadata Service (IMDS) tokens. It even executed localized commands like aws configure list-profiles to identify active cloud accounts.
3. DevOps and IaC Secrets: It scanned for HashiCorp Vault tokens, Terraform credentials, and sensitive local files like .env, credentials.json, and service-account.json.
4. Git and Platform Tokens: The script harvested the in-memory GITHUB_TOKEN, GitLab CI/CD variables, and Bitbucket integration keys.
5. Federated OIDC Tokens: Crucially, the script intercepted GitHub Actions OpenID Connect (OIDC) token request URLs, allowing the attackers to forge federated identities and assume the cloud roles granted to the runner.

Once gathered, the stolen credentials were compressed and exfiltrated to the known TeamPCP command-and-control (C2) server hosted at the IP address 216.126.225.129:8443.

Downstream Poisoning: The Tiledesk and npm Incident

The ultimate danger of a supply-chain attack of this scale is its ability to easily propagate downstream. Because many repository owners merged the forged automated commits without auditing the workflow changes, several projects inadvertently distributed infected updates.

The most prominent casualty of the Megalodon campaign was Tiledesk, a highly popular open-source live-chat and chatbot platform. The automated attackers successfully pushed malicious commits to nine of Tiledesk’s GitHub repositories. Specifically, they overwrote Tiledesk’s Docker deployment workflow (docker-community-worker-push-latest.yml) with the malicious Optimize-Build payload.

Because the core application code remained completely unmodified, the change was entirely invisible to standard code testing pipelines. Unaware of the pipeline compromise, a legitimate Tiledesk maintainer published seven sequential versions of their core public npm package, @tiledesk/tiledesk-server (versions 2.18.6 through 2.18.12), to the npm registry between May 19 and May 21, 2026. The attacker never touched the developer’s npm credentials; instead, they successfully poisoned the upstream repository, and the developer’s legitimate publishing environment dutifully distributed the backdoored software to thousands of downstream users.

Mitigating Megalodon: Defensive Measures for Engineering Teams

As the cybersecurity community continues to respond to the Megalodon campaign, security firms are urging engineering teams to implement immediate, rigorous defensive checks. To secure your environment from this and future pipeline compromises, developers should adopt the following defensive playbook:

• Audit Git History and Workflows: Run manual audits of your repository’s .github/workflows/ directory. Search for unexpected YAML files containing Base64-encoded strings, or any workflows named SysDiag or Optimize-Build.
• Identify Forged Bot Commits: Check your commit history for authors like build-bot, auto-ci, or pipeline-bot, particularly those lacking cryptographic signatures (GPG/SSH signed commits). Search your repository history specifically for the historical commit timestamp of September 17, 2001.
• Check Action Logs: Review the GitHub Actions run history for unexpected workflow_dispatch executions, which could indicate an attacker triggering a dormant backdoor.
• Enforce Zero-Trust Branch Protections: Restrict direct pushes to default branches. Require all commits to be cryptographically signed, and mandate that any modification to files in the .github/ directory undergoes multiple peer reviews before merging.
• Rotate Secrets Immediately: If your repository was exposed to the Megalodon commits, assume all environment variables and secrets are fully compromised. Revoke and rotate all cloud provider keys (AWS, GCP, Azure), SSH private keys, npm publishing tokens, and database credentials.
• Block the Command-and-Control (C2) Server: Ensure that your network monitoring tools and firewall