A new automated attack dubbed Megalodon pushed malicious commits to more than 5,500 GitHub repositories, putting developers and organizations that merge those changes at risk of credential theft. Researchers say the malware runs in continuous integration and continuous delivery (CI/CD) pipelines after a poisoned commit is merged, then steals GitHub, Bitbucket, AWS, Google Cloud, Azure, SSH, Docker, Kubernetes, Vault, and Terraform secrets and can spread further; SafeDep also linked backdoored Tiledesk npm releases 2.18.6 through 2.18.12 to a compromised GitHub repository rather than a stolen npm account.
Why it matters: This can turn a routine code merge into a cloud-account and source-code compromise, especially for organizations that automatically build code from GitHub. Repo maintainers and security teams should review recent pull requests and commits, block suspicious automation, rotate CI/CD and cloud secrets, and check whether affected packages or repositories were used.
Ionut Arghire
2026.05.25
98% relevant
This article is a direct report on the same Megalodon event, adding specifics on the attack window (May 18 over six hours), the 5,718 malicious commits across 5,561 repositories, the use of GitHub Actions workflows including workflow_dispatch for dormant backdoors, and the link to compromised Tiledesk npm package releases published from poisoned source code.
2026.05.22
100% relevant
The article establishes a distinct new supply-chain campaign, separate from the tracked TeamPCP and Mini Shai-Hulud incidents, with a different actor, larger scope, and specific poisoned GitHub repos and Tiledesk package versions.
← Back to all stories