Megalodon Campaign Poisons Over 5,500 GitHub Repositories in Massive CI/CD Attack
Table of Contents
A New Wave of Supply Chain Sabotage
GitHub is currently grappling with the fallout of a massive, automated malware campaign dubbed “Megalodon,” which has successfully poisoned more than 5,500 repositories. The attack, which unfolded rapidly over a six-hour window on May 18, specifically targets the Continuous Integration and Continuous Deployment (CI/CD) pipelines that modern developers rely on to automate software delivery.
According to researchers at SafeDep, the campaign is designed to be a silent predator. Instead of crashing systems or encrypting files for ransom, Megalodon focuses on the exfiltration of high-value secrets. By inserting malicious commits into repositories, the attackers ensure that the malware executes within the environment where the most sensitive credentials reside: the build pipeline.
The mechanics are straightforward but devastating. If a repository owner merges a compromised commit, the malware triggers inside the CI/CD pipeline. From there, it begins a comprehensive sweep of the environment, hunting for AWS secret keys, Google Cloud access tokens, and Azure metadata for instance role credentials. It doesn’t stop there; the script also scans for SSH private keys, Kubernetes configurations, Vault tokens, and Terraform credentials, using more than 30 different regex patterns to ensure no secret is left behind.
The Anatomy of a Poisoned Commit
The sophistication of Megalodon lies in its camouflage. Threat hunters from SafeDep traced the malicious commits to authors posing as automated systems. One commit was attributed to a “build-bot” using the email build-system[@]noreply.dev, while another used ci-bot@automated.dev. Both used generic, innocuous messages like “ci: add build optimization step” to avoid triggering suspicion during a cursory review.
In many cases, these commits bypassed the standard Pull Request (PR) process entirely. Researchers believe the attackers utilized compromised Personal Access Tokens (PATs) or deploy keys to push code directly to the master branch. This allowed the malware to land in repositories without the usual layer of peer review that typically catches anomalies.
The scale of the infection is significant. Between 11:36 and 17:48 UTC on May 18, the campaign hit 5,561 repositories. Among the most notable victims was Tiledesk, an open-source live chat platform. The attackers backdoored several Tiledesk repositories, including tiledesk-server and tiledesk-ai. In a particularly dangerous twist, the legitimate maintainer of the Tiledesk npm package unknowingly published compromised versions (2.18.6 through 2.18.12) because the source code on GitHub had been poisoned, even though the npm account itself remained secure.
Beyond the TeamPCP Blueprint
Industry analysts have noted similarities between Megalodon and the previous TeamPCP attacks, which poisoned roughly 3,800 repositories. However, evidence suggests Megalodon is the work of a different actor. Moshe Siman Tov Bustan, lead researcher at Ox Security, notes that while the style is similar, the underlying code differs.
Bustan points out that the actor behind Megalodon is likely not participating in the “supply-chain attack competition” recently hosted on BreachForums by TeamPCP, as they failed to follow the specific rule of adding a public encryption key to prove involvement.
The broader implication is a shift in how attackers view developer ecosystems. By compromising the tools used to build software, attackers can effectively impersonate developer identities within cloud environments, granting them a persistent foothold in corporate infrastructures. For any organization that merged these commits, the assumption must now be that all CI/CD variables and cloud secrets associated with those projects have been compromised.
While npm has taken steps to invalidate certain granular access tokens to mitigate account hijacking, security experts argue that this is a superficial fix. The core problem remains: malicious code is still reaching the heart of the software supply chain with minimal friction.
