← Threat Intelligence
Supply Chain Attack

Megalodon Attack: 5,561 GitHub Repositories Compromised in Six-Hour CI/CD Blitz

Matt Lucas  |  May 22, 2026  |  6 min
TeamPCP Threat Actor Stolen PATs Deploy Keys write access MEGALODON SysDiag Optimize-Build 5,561 Repos 5,718 commits / 6h malicious workflows CI/CD Secrets AWS · GCP · Azure 30+ secret patterns Mini Shai-Hulud worm propagation steals → reinfects C2 216.126.225 .129:8443 ACTOR INITIAL ACCESS PAYLOAD IMPACT EXFIL
5,718
Malicious Commits
5,561
Compromised Repos
6 Hours
Attack Window
30+
Secret Patterns Targeted
TL;DR
  • What: The Megalodon campaign (TeamPCP) injected malicious GitHub Actions workflows into 5,561 repositories via stolen PATs and deploy keys, harvesting CI/CD secrets using two payload variants: SysDiag (mass push-trigger) and Optimize-Build (stealth manual-dispatch).
  • Impact: 5,718 commits across 5,561 repos in six hours; exfiltrated AWS, GCP, and Azure credentials, SSH keys, Vault tokens, and 30+ other secret patterns to C2 at 216.126.225.129:8443; propagated further via the Mini Shai-Hulud worm using stolen credentials.
  • Fix / mitigation: npm invalidated all granular write-access tokens; rotate all CI/CD PATs, deploy keys, and cloud tokens immediately; adopt Trusted Publishing; enforce branch-protection requiring PR review for workflow file changes.
  • Who's at risk: Any GitHub project that auto-merges bot-authored commits or uses long-lived PATs/deploy keys with write access in CI/CD pipelines, particularly open-source maintainers across GitHub, npm, and multi-cloud environments.

On May 18, 2026, an automated supply chain attack designated Megalodon compromised 5,561 GitHub repositories in a six-hour window between 11:36 a.m. and 5:48 p.m. UTC. The campaign pushed 5,718 malicious commits containing weaponized GitHub Actions workflows designed to exfiltrate credentials, cloud tokens, and secrets from CI/CD pipelines. Attackers used throwaway accounts with random 8-character usernames and forged author identities mimicking common bot names to evade detection.

Attack Methodology and Infrastructure

The Megalodon campaign leveraged compromised Personal Access Tokens (PATs) and deploy keys to inject malicious GitHub Actions workflows into legitimate repositories. Attackers rotated through four author names—build-bot, auto-ci, ci-bot, and pipeline-bot—paired with seven different commit messages designed to mimic routine CI maintenance. The malicious payloads were base64-encoded bash scripts that executed within GitHub Actions runners, establishing connections to command-and-control infrastructure at 216.126.225[.]129:8443.

SafeDep's analysis revealed two distinct payload variants. The mass-distribution variant, SysDiag, added workflows triggered on every push and pull request to maximize reach. The targeted variant, Optimize-Build, used workflow_dispatch triggers that activate only on manual workflow execution, sacrificing reach for operational security. The @tiledesk/tiledesk-server package exemplified the targeted approach, where the malware executed only in CI/CD runners rather than during package installation.

Exfiltrated Data and Target Scope

The malware harvested comprehensive credential sets from compromised CI/CD environments. Primary targets included CI environment variables, process environment data from /proc/*/environ, and PID 1 environment configurations. Cloud provider credentials formed a critical component: AWS credentials, Google Cloud access tokens, and instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure IMDS endpoints.

Comprehensive Credential Harvest

The attack collected SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, shell history, and configuration files including .env, credentials.json, and service-account.json. The malware also targeted GitHub Actions OIDC tokens, GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens using more than 30 secret regular expression patterns.

The attack's effectiveness hinged on repository owners merging malicious commits. Once merged, the workflows executed automatically within trusted CI/CD pipelines, granting attackers access to production secrets and enabling lateral movement. With over 5,700 repositories compromised, even a small percentage yielding usable tokens provided sufficient infrastructure for sustained credential theft operations.

TeamPCP Connection and Broader Campaign Context

The Megalodon attack represents the latest escalation in supply chain compromises attributed to or associated with TeamPCP activity. This threat actor has systematically corrupted hundreds of open-source tools across multiple ecosystems, targeting major platforms including GitHub, TanStack, Grafana Labs, OpenAI, and Mistral AI. The group demonstrates both financial motivation—establishing partnerships with BreachForums and extortion crews like LAPSUS$ and VECT—and geopolitical objectives, deploying wiper malware when detecting systems in Iran and Israel.

TeamPCP's attacks exploit the interconnected nature of software supply chains, where single compromises cascade through dependency networks. The group's Mini Shai-Hulud worm exemplifies this worm-like propagation, spreading through ecosystems by leveraging stolen credentials to compromise additional projects. This cyclical exploitation pattern creates self-sustaining attack chains where each compromise generates credentials that enable subsequent breaches.

NPM Response and Platform-Level Mitigations

In response to the TeamPCP attack wave, npm invalidated all granular access tokens with write access that bypass two-factor authentication. This emergency measure addresses the credentials already harvested by active worms but does not eliminate the underlying vulnerability. The platform now recommends Trusted Publishing to reduce dependence on long-lived tokens that can be exfiltrated and reused.

Token Invalidation: Temporary Relief

According to Socket, npm's mass token invalidation buys breathing room but does not close the fundamental security gap. Maintainers will issue new tokens, while worms already active in the wild will resume harvesting them. Organizations must implement defense-in-depth strategies rather than relying solely on platform-level resets.

Parallel Polymarket Impersonation Campaign

Concurrent with Megalodon, a separate campaign using the throwaway account 'polymarketdev' published nine malicious npm packages impersonating Polymarket trading CLI tools within a 30-second window. The packages—including polymarket-trading-cli, polymarket-terminal, and polymarket-bot—remained available on npm at the time of discovery.

These packages deployed sophisticated social engineering through postinstall scripts that displayed fake wallet onboarding prompts requesting private keys. The scripts claimed encryption but transmitted Ethereum and Polygon private keys in plaintext to a Cloudflare Worker endpoint at hxxps://polymarketbot.polymarketdev.workers[.]dev/v1/wallets/keys. The attacker built functional trading CLI functionality around the credential theft operation, using GitHub repositories to establish false credibility and masking techniques to simulate secure input.

Defense Recommendations

Organizations must implement comprehensive supply chain security controls to defend against automated compromise campaigns. Review all GitHub Actions workflows in repositories for unauthorized changes, particularly commits from bot-named authors or accounts with random 8-character usernames. Implement mandatory code review for workflow files and restrict workflow modification permissions to verified maintainers.

Rotate all CI/CD credentials, PATs, deploy keys, and cloud access tokens as a precautionary measure. Enable GitHub's branch protection rules requiring pull request reviews before merging workflow changes. Implement secrets scanning tools that detect credential patterns before they reach production pipelines. Monitor CI/CD execution logs for unexpected network connections, particularly to suspicious IP addresses or domains. Adopt Trusted Publishing mechanisms where available to eliminate long-lived authentication tokens from deployment workflows.

For package consumption, verify package authenticity through maintainer reputation, publication history, and repository activity before installation. Scrutinize postinstall scripts and lifecycle hooks that request sensitive input. Configure network egress filtering to block CI/CD runners from accessing external endpoints except explicitly approved services. The scale and automation of Megalodon demonstrates that manual security reviews cannot keep pace with industrialized supply chain attacks—organizations require automated policy enforcement and continuous monitoring to detect compromise indicators in real-time.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

Supply ChainGitHub Actions Supply Chain Attack Redirects Repository Tags to Credential-Stealing MalwareSupply ChainGitHub Breached Through Poisoned VS Code Extension in 18-Minute Attack WindowSupply ChainLaravel-Lang Supply Chain Attack Delivers Cross-Platform Credential Stealer Across 700+ Package Versions

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →Caver SIEM →Live detection feed →