Supply-Chain Attack Leverages Malicious GitHub Actions Workflow to Steal Sensitive Data
On May 25, 2026, a concerning security incident came to light regarding a massive automated campaign that has compromised more than 5,000 GitHub repositories. This malicious campaign, dubbed "Megalodon," has sparked alarm in the cybersecurity community due to its sophisticated techniques for stealing sensitive information through fake push requests.
The nature of the Megalodon campaign involves the use of throwaway accounts and forged author identities, such as build-bot, auto-ci, ci-bot, and pipeline-bot. These identities enabled the attacker to inject malicious GitHub Actions workflows that contained base64-encoded bash payloads into the targeted repositories. The cybersecurity startup SafeDep highlighted the alarming rise of supply-chain attacks targeting open-source JavaScript and Python software repositories. They revealed in a recent alert that the attack, while distinct, parallels an earlier incident in which approximately 3,800 internal repositories belonging to Microsoft’s GitHub were breached due to a compromised Visual Studio code extension. This earlier breach was attributed to TeamPCP, a notorious group known for its supply-chain hacking activities.
Significantly, the Megalodon campaign does not appear to have resulted in the theft of entire repositories; rather, its main objective was to deploy a payload inside the repositories that targeted vital continuous integration (CI) environment secrets. These included sensitive data such as cloud service credentials, SSH keys, and tokens associated with the OpenID Connect federation, along with other secrets that inadvertently made their way into the source code. Notably, the attack did not modify any existing application code; instead, it stealthily introduced a malicious workflow file for GitHub Actions. This platform, owned by Microsoft, supports modern development practices for continuous integration and delivery, enabling developers to automatically build, test, and deploy their software.
According to SafeDep, this particular type of attack could easily bypass code reviews, as very few developers scrutinize workflow files in Node Package Manager (npm) packages. In a period stretching just six hours, the Megalodon campaign executed an astounding 5,718 malicious commits across 5,561 GitHub repositories. The mechanism of execution came into play once the owners of these repositories merged the malicious commits, which allowed the embedded malware to operate within their CI/CD pipelines and extend its reach even further.
The attackers employed two distinct types of payloads during the operation. The first, referred to as the "mass variant" named SysDiag, was designed to introduce a new workflow that would be triggered with every push and pull request, ensuring maximum automated execution. The second, known as the "targeted variant" named Optimize-Build, replaced existing workflows with dormant backdoors, known as workflow_dispatch, allowing the attacker to selectively activate these points of entry on demand through the GitHub API.
SafeDep has published comprehensive lists of the affected repositories and indicators of compromise. These indicators included connections to a hardcoded command-and-control (C2) server that features a query string containing the term "megalodon," which likely assists the attacker in tracking this particular campaign’s effectiveness. In assessing the impact of the payload, it was discovered that it intercepted sensitive data, truncated it into segments of five megabytes, and transmitted these chunks to the C2 server with random delays designed to evade detection.
Integral to the discovery of this campaign was an exploration of the GitHub repository for Tiledesk—a legitimate open-source live chat and chatbot platform—where researchers located a payload embedded in a GitHub Actions workflow file. Multiple versions of Tiledesk from 2.18.6 to 2.18.12 were noted to contain this backdoor, all published by a legitimate maintainer’s account, further complicating the issue of identity validation.
Essentially, the attacker did not directly compromise the npm account. Instead, they infiltrated the GitHub repository, and the maintainer unknowingly published the code originating from a poisoned source. Investigations indicated that the attacker likely utilized a compromised GitHub personal access token or deploy key, as the malicious commit was traced back to an email address, namely build-bot (build-system@noreply.dev). This email had sent messages suggesting innocuous changes like "ci: add build optimization step," misleadingly masquerading as a legitimate contributor.
Ultimately, the Megalodon campaign affected a varied array of repositories, including multiple Tiledesk instances, eight from the Black-Iron-Project, and additional links to the WISE Community, along with hundreds of smaller repositories. Cybersecurity experts caution that any repository affected by this attack should urgently revert the malicious commits, audit workflow files meticulously, rotate any available secrets, and conduct thorough audits of cloud logs for any unusual requests tied to unknown workflows.
Ox Security has pointed out that this type of cyberattack signifies a troubling trend whereby "simple security loopholes and human errors" facilitate the large-scale spread of malicious code. They noted the necessity for platform providers to take more rigorous measures to intercept such harmful activities effectively. The ongoing campaigns executed by TeamPCP, known for targeting prominent JavaScript and Python repositories with their wormable malware, further emphasize the urgent need for enhanced security protocols.
"In our current digital landscape, we have entered a new era of supply-chain attacks," Ox Security warned, suggesting that the incident connected to GitHub is just the tip of the iceberg, heralding what might be an ongoing wave of cyberattacks targeting developers worldwide.