A massive malware campaign called Megalodon has infected thousands of GitHub repositories by abusing trusted CI/CD workflows and fake automation commits.
Quick Summary – TLDR:
- More than 5,500 GitHub repositories were targeted in a large scale malware campaign.
- Attackers used fake CI automation commits to inject malicious GitHub Actions workflows.
- The malware steals cloud credentials, API keys, SSH keys, tokens, and sensitive developer data.
- Security researchers warn this attack signals a dangerous new phase in software supply chain attacks.
What Happened?
Security researchers from SafeDep and OX Security have uncovered a large malware campaign named Megalodon that spread rapidly across GitHub repositories through malicious CI/CD workflow injections. The attack reportedly affected over 5,500 repositories within just a few hours on May 18, 2026.
The malware campaign relied on fake automated commits disguised as routine CI maintenance updates. Once repository owners unknowingly merged the malicious commits, the malware executed inside GitHub Actions workflows and began stealing secrets, cloud credentials, and other sensitive information.
🚨 The “𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗” Campaign is live…
— SafeDep (@safedepio) May 21, 2026
𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window.
Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋… pic.twitter.com/qJQJ3RDQwh
How the Megalodon Attack Worked?
According to researchers, attackers created fake commits using identities such as build bot, auto ci, ci bot, and pipeline bot. The commits appeared legitimate and carried harmless looking messages including:
- “ci: add build optimization step”
- “build: improve ci performance”
- “chore: optimize pipeline runtime”
- “fix: correct build workflow”
These commits injected malicious GitHub Actions workflow files containing Base64 encoded bash payloads. Once triggered, the payload silently executed in the CI/CD environment.
Researchers said the malware campaign pushed over 5,700 malicious commits across 5,561 GitHub repositories in just a six hour period.
Malware Focused on Stealing Developer Secrets
The Megalodon malware was designed specifically to target developer environments and cloud infrastructure credentials. Once active, the malware searched systems for:
- AWS access keys and session tokens
- Google Cloud access tokens
- Azure instance metadata credentials
- GitHub Actions tokens
- SSH private keys
- Docker authentication configs
- Terraform and Kubernetes credentials
- .env files and configuration secrets
- npm and PyPi credentials
- Shell history files
Researchers also found that the malware scanned source code using more than 30 secret matching patterns to identify API keys, database credentials, JWT tokens, and private encryption keys.
The stolen data was then sent to a command and control server linked to the campaign.
Compromised npm Package Raised More Concerns
One of the most alarming discoveries involved the popular open source project Tiledesk. Researchers found that versions 2.18.6 through 2.18.12 of the npm package @tiledesk/tiledesk-server contained a malicious GitHub workflow backdoor.
Interestingly, investigators believe the npm account itself was not hacked. Instead, attackers compromised the GitHub repository and inserted malicious workflow code before the legitimate maintainer unknowingly published the infected package.
The malware replaced an existing workflow with a hidden backdoor called Optimize Build, allowing attackers to remotely trigger malicious activity using GitHub APIs.
Indicators of Compromise
Researchers identified several warning signs linked to the Megalodon campaign, including:
- Connections to 216.126.225.129:8443
- Suspicious GitHub workflow files named SysDiag
- Unknown workflow modifications in .github/workflows/
- Fake automation email accounts such as:
Security teams are being advised to immediately rotate credentials, revoke compromised tokens, and audit GitHub Actions workflows for unauthorized changes.
GitHub Supply Chain Attacks Are Growing Fast
The Megalodon campaign highlights how attackers are increasingly targeting software supply chains instead of individual users. By abusing trusted platforms like GitHub, threat actors can quietly spread malware through open source projects that developers already trust.
Researchers warned that these attacks are becoming more automated and harder to detect. Attackers continuously upload new malicious repositories, making removal efforts difficult.
Organizations are now being urged to adopt stricter zero trust security practices for software development. Experts recommend verifying repository authenticity, using sandbox testing environments, enabling multi factor authentication, and carefully reviewing all CI/CD workflow changes before merging them.
SQ Magazine Takeaway
I think this attack should be a wake up call for every developer and company relying heavily on open source tools. GitHub workflows and automation systems are supposed to save time, but attackers are now turning those exact systems into malware delivery mechanisms. The scary part is how normal these fake commits looked. Most developers would probably merge them without a second thought. This is no longer just about downloading suspicious software. Even trusted repositories and automated build systems are becoming attack surfaces.