Analysis
Megalodon is an automated supply chain campaign that pushed 5,718 malicious commits to over 5,500 GitHub repositories in a six-hour window (approximately 11:36 to 17:48 UTC on May 18, 2026), at a rate of roughly 15 repositories per minute. First reported by SafeDep, the campaign used compromised personal access tokens (PATs) or deploy keys to push GitHub Actions workflows containing base64-encoded bash payloads that harvest CI secrets, cloud credentials, OIDC tokens, SSH keys, and source code secrets, then exfiltrate everything to 216.126.225[.]129:8443.
The Tiledesk project was a downstream victim: commit acac5a9 replaced a Docker build workflow in the tiledesk-server repository via the targeted Optimize-Build variant, and the legitimate maintainer subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm from the poisoned source without realizing it.
Megalodon is a distinct campaign from TeamPCP/Mini Shai-Hulud. The C2 infrastructure, payload mechanism, and attribution markers are different. This is a separate actor — or at minimum a separate operation — using GitHub-native delivery rather than package-registry compromise.
Two payload variants
Both variants request id-token: write, actions: read, and contents: read permissions, and execute a set +e; echo "..." | base64 -d | bash one-liner.
- Mass variant (SysDiag): Adds a new workflow at
.github/workflows/ci.ymlnamedSysDiag. Triggers onpushacross all branches and onpull_request_target— the latter is particularly dangerous because it runs in the context of the base repository with full secrets access even for pull requests originating from forks. This is the variant responsible for the bulk of the 5,718 commits. - Targeted variant (Optimize-Build): Replaces an existing workflow file, renaming it to
Optimize-Buildwith aworkflow_dispatchtrigger. Creates a dormant backdoor the attacker can invoke on demand through the GitHub API. Used against Tiledesk.
Credential harvesting scope
The decoded payload performs comprehensive collection from every CI runner that executes it:
- All CI environment variables,
/proc/*/environ, and PID 1 environment - AWS per-profile access keys and session tokens via the
awsCLI, plus IMDSv2 instance role credentials - GCP access tokens via
gcloud auth print-access-tokenand GCP metadata service queries - Azure IMDS endpoint queries for instance role credentials
- GitHub Actions OIDC token request URL and token, enabling cloud identity impersonation without long-lived credentials
GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens- SSH private keys, Docker auth configs,
.npmrc,.netrc, Kubernetes configs, Vault tokens, Terraform credentials, shell history - Regex-based grep scan of source code for 30+ secret patterns (API keys, database connection strings, JWTs, PEM private keys)
.envfiles,credentials.json,service-account.json, and other configuration files across the workspace and common server paths
Forged identity tradecraft
The attacker rotated through four forged author names (build-bot, auto-ci, ci-bot, pipeline-bot) with two generic email addresses, using git config to forge author identity before pushing. Commit messages were chosen to mimic routine CI maintenance: ci: add build optimization step, chore: optimize pipeline runtime, fix: correct build workflow. The six-hour window and 15-repos-per-minute rate indicate full automation — no human in the loop per-repository.
Downstream npm impact: @tiledesk/tiledesk-server
The targeted Optimize-Build variant replaced a Docker build workflow in the tiledesk-server repository (commit acac5a9). The legitimate Tiledesk maintainer then published seven npm versions (2.18.6 through 2.18.12) from the poisoned source. Any application depending on @tiledesk/tiledesk-server that updated within that window installed a version built from a backdoored repository. The CI workflow would have executed the credential-harvesting payload during the build process, meaning Tiledesk's own CI secrets were likely exfiltrated before the poisoned package reached npm consumers.
Pin to @tiledesk/tiledesk-server@2.18.5 or earlier until the Tiledesk team confirms a clean release.
Detection
- Search repositories for commits authored by
build-system@noreply.devorci-bot@automated.dev. Both email addresses are exclusively associated with Megalodon activity. - Inspect
.github/workflows/for workflows namedSysDiagorOptimize-Build. Neither name has legitimate standing in most codebases. - Audit
.github/workflows/for any workflow containingbase64 -d | bash. This is not a pattern used by legitimate CI workflows. - Review git logs for commits from
build-bot,auto-ci,ci-bot, orpipeline-bot. - Search GitHub audit logs for workflow runs making outbound connections to
216.126.225[.]129on port 8443.
Indicators of compromise
C2 endpoint (defanged): 216.126.225[.]129:8443
Forged author emails: build-system@noreply.dev, ci-bot@automated.dev
Forged author names: build-bot, auto-ci, ci-bot, pipeline-bot
Malicious workflow names: SysDiag (mass variant), Optimize-Build (targeted variant)
Mass variant workflow path: .github/workflows/ci.yml, triggers on push (all branches) and pull_request_target
Tiledesk orphan commit: acac5a9
Compromised npm package: @tiledesk/tiledesk-server versions 2.18.6–2.18.12 (pin to 2.18.5 or earlier)
Campaign identifier string: megalodon
Criminal-market signal
No dark-web presence for Megalodon tooling, infrastructure, or the 216.126.225[.]129 C2 IP has been observed. The automated, high-volume pattern (5,500+ repos in six hours) is more consistent with operator-run credential collection than commodity marketplace activity. The absence of a public claim — unlike TeamPCP's self-attribution via @pcpcats and Tor-linked disclosures — leaves attribution confidence at the infrastructure level only. H2 (operator-run, no commodity market) is the most probable hypothesis pending further analysis.