Megalodon: Mass GitHub Repo Backdooring via CI Workflows

TL;DR

On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225.129:8443.

The campaign deployed two payload variants. The mass variant (SysDiag) adds a new workflow triggered on every push and pull request, maximizing automated execution. A targeted variant (Optimize-Build) replaced existing workflows with workflow_dispatch triggers, creating dormant backdoors that the attacker can fire on demand via the GitHub API. The npm package @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 carry the targeted variant, propagated to npm through routine publishes by the legitimate maintainer from the compromised GitHub repository.

Impact:

• 5,561 GitHub repositories received malicious workflow commits
• Exfiltrates all CI environment variables, /proc/*/environ, and PID 1 environment
• Steals AWS credentials (per-profile access keys, secret keys, session tokens via aws CLI)
• Harvests GCP access tokens via gcloud auth print-access-token
• Queries AWS IMDSv2, GCP metadata, and Azure IMDS endpoints for instance role credentials
• Reads SSH private keys, Docker auth configs, .npmrc, .netrc, Kubernetes configs, Vault tokens, Terraform credentials, and shell history
• Grep-scans source code for 30+ secret regex patterns (API keys, database connection strings, JWTs, PEM private keys, cloud tokens)
• Exfiltrates GitHub Actions OIDC token request URL and token, enabling cloud identity impersonation
• Exfiltrates GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
• Searches the workspace and common server paths for .env files, credentials.json, service-account.json, and other configuration files

Indicators of Compromise (IoC):

• C2: hxxp://216[.]126[.]225[.]129:8443
• Campaign: megalodon
• Author emails: [email protected], [email protected]
• Author names: build-bot, auto-ci, ci-bot, pipeline-bot
• Commit messages: “ci: add build optimization step”, “build: improve ci performance”, “chore: optimize pipeline runtime”, “chore: sync ci configuration”, “chore: update ci/cd pipeline”, “ci: update build config”, “fix: correct build workflow”
• Mass variant: adds .github/workflows/ci.yml named SysDiag, triggers on push (all branches) + pull_request_target
• Targeted variant: replaces existing workflow, renames to Optimize-Build, triggers on workflow_dispatch
• Both variants request permissions: id-token: write, actions: read
• npm: @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12
• Tiledesk commit: acac5a9

Analysis

How We Found It

SafeDep’s Malysis engine flagged @tiledesk/[email protected] after detecting a base64-encoded bash payload inside a bundled GitHub Actions workflow file. The package itself is legitimate: Tiledesk is an open source live chat and chatbot platform, published since 2019 with hundreds of versions and six npm maintainers, all with @tiledesk.com or personal email addresses consistent with the project team.

Diffing version 2.18.12 against the clean 2.18.5, one file changed: .github/workflows/docker-community-worker-push-latest.yml. The original Docker build workflow was gone. In its place, a workflow named Optimize-Build with a set +e; echo "..." | base64 -d | bash one-liner. Application code: identical.

Versions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor. The same npm account, eljohnny ([email protected]), published both the clean 2.18.5 and the compromised versions. The attacker never touched the npm account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it.

Tracing the Commit

The malicious commit (acac5a9) landed on May 18, 2026, authored by build-bot <[email protected]> with the message “ci: add build optimization step”. The author name and generic noreply email mimic automated CI commits. The GitHub API returns null for both the author and committer user fields: no GitHub account is linked. Someone pushed the commit to master with no PR and no merge commit, using a compromised PAT or deploy key. As of this writing, the malicious commit remains on the master branch.

Searching GitHub for other commits by [email protected] revealed the larger campaign.

Campaign Scale

Searching GitHub for commits authored by [email protected] returns 2,878 results. A second email, [email protected], accounts for another 2,841. All 5,718 commits landed on the same day: May 18, 2026, across a six-hour window from approximately 11:36 to 17:48 UTC, targeting 5,561 distinct repositories.

The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance:

• ci: add build optimization step
• build: improve ci performance
• chore: optimize pipeline runtime
• chore: sync ci configuration
• chore: update ci/cd pipeline
• ci: update build config
• fix: correct build workflow

The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys.

Tiledesk alone was hit across nine repositories: tiledesk-server, tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dahboard, tiledesk-helpcenter-template, and tiledesk-ai. Other targeted organizations include Black-Iron-Project (8 repos), WISE-Community, and hundreds of smaller repositories.

The full list of 5,718 malicious commits across 5,561 repositories, collected from GitHub’s commit search API: