Attack Overview and Speed
On May 18, 2026, a large scale automated supply chain attack known as Megalodon targeted GitHub, compromising over 5,500 repositories in less than six hours. Security researchers at SafeDep identified the campaign between 11:36 and 17:48 UTC on that day, during which 5,718 malicious commits were pushed to 5,561 repositories. The attackers used throwaway accounts with randomized eight character usernames and forged author identities such as build-bot and ci-bot to mimic routine automated CI maintenance. Commit messages like “ci: add build optimization step” were carefully crafted to bypass casual code review.
Malicious Payload Variants
The campaign deployed two distinct GitHub Actions workflow variants. The SysDiag mass variant added a new workflow file that triggered on every push and pull request, ensuring automatic execution on any branch. The Optimize Build targeted variant replaced existing workflows with a manually triggered backdoor that the attacker could activate silently via the GitHub API, producing no visible CI runs or failed builds. Both variants requested elevated permissions for OIDC token theft, enabling cloud identity impersonation.
The base64 encoded bash payload, spanning 111 lines, performed aggressive multi phase credential harvesting. It extracted CI environment variables, AWS and GCP credentials, live cloud metadata service credentials, SSH private keys, Docker auth configurations, and source code scanned against over 30 regex patterns for API keys, JWTs, database connection strings, and cloud tokens. The attack’s most significant downstream impact targeted Tiledesk, an open source live chat platform, whose GitHub repository was compromised.
Source: Cyber Security News
