Feed
CriticalPublished 18 May 2026Updated 4 Jun 202610 packages · 7 versions

Megalodon: automated CI/CD workflow injection backdoors 5,561 GitHub repos, propagates to @tiledesk/tiledesk-server on npm

Summary

On 2026-05-18 an automated campaign nicknamed Megalodon pushed 5,718 commits to 5,561 public GitHub repos in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets to 216.126.225.129:8443. The legitimate Tiledesk maintainer then released @tiledesk/tiledesk-server 2.18.6–2.18.12 from the poisoned source — propagating the backdoor to every downstream npm install.

ci-cd-compromisecredential-theftmaintainer-takeoverobfuscationaccount-takeover
Threat actor
TeamPCP (tentative)
Detected by
SafeDep · StepSecurity · GitGuardian
Also known as
Megalodon · SysDiag · Optimize-Build
Ecosystems
GitHub Actionsnpm
Packages tracked
10

What happened

Between 11:36 UTC and 17:48 UTC on 2026-05-18, an automated attacker codenamed Megalodon (SafeDep, 2026-05-22) pushed 5,718 malicious commits to 5,561 distinct public GitHub repositories inside a six-hour window. Each commit added or replaced a GitHub Actions workflow file containing a base64-encoded bash payload; the payload runs on the next CI execution and exfiltrates CI secrets, cloud credentials, SSH keys, OIDC tokens, and source-code secrets to a single C2 endpoint at 216.126.225.129:8443.

Two variants

The campaign deployed two distinct workflow patterns. SysDiag is the mass variant: it adds a new workflow that triggers on every push and pull_request, maximizing the chance of automatic execution the moment the affected repo runs CI again. Optimize-Build is the targeted variant: it overwrites an existing legitimate workflow with a workflow_dispatch trigger, creating a dormant backdoor the attacker can fire on demand through the GitHub API. The targeted variant is what hit Tiledesk.

The attacker authored each commit with one of four forged identities — build-bot, auto-ci, ci-bot, pipeline-bot — committed from randomized 8-character throwaway GitHub accounts, so the commits look like routine CI automation in a glance at the repository commit graph.

Tiledesk: from GitHub backdoor to npm tarball

The most consequential downstream effect of Megalodon was at Tiledesk, the open-source AI agent platform. On 2026-05-18 the Optimize-Build payload landed in nine Tiledesk repos: tiledesk-server, tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dashboard, tiledesk-helpcenter-template, and tiledesk-ai. The Tiledesk maintainer (npm user eljohnny) — unaware of the compromise — then released @tiledesk/tiledesk-server 2.18.6 on 2026-05-19, followed by 2.18.7, 2.18.8, 2.18.9, 2.18.10, 2.18.11, and finally 2.18.12 on 2026-05-21, all built from the poisoned source. The published npm tarball includes the malicious .github/workflows/docker-community-worker-push-latest.yml, so any consumer that runs CI against the package source ends up executing the backdoor.

Diffing 2.18.12 against the clean 2.18.5 shows exactly one changed file — the workflow yml. The npm publishing account itself was never compromised; this is the same trust-chain failure that hit the SAP @cap-js and Red Hat / Miasma campaigns earlier in 2026 — the source repository, not the publish token, is the weak link.

Attribution

SafeDep and Help Net Security tentatively link Megalodon to TeamPCP, the same threat actor responsible for the 2026-05-11 TanStack burst (@tanstack/*, @uipath/*, @mistralai/*), the 2026-06-01 Miasma compromise of @redhat-cloud-services, the March 2026 LiteLLM PyPI compromise, and the March 2026 Trivy / Checkmarx KICS GitHub Action cascade. The Mini Shai-Hulud–style mass automation, the build-bot-style forged identities, and the focus on CI/CD trust-chain abuse all fit the TeamPCP TTP profile, though SafeDep emphasises attribution remains "tentative" pending IOC overlap with prior campaigns.

What you can hunt for

  • Workflow yml files added or modified on 2026-05-18 between 11:36 and 17:48 UTC, especially ones containing a long base64-encoded bash command
  • Outbound HTTPS connections from any runner to 216.126.225.129:8443
  • Commits authored by build-bot, auto-ci, ci-bot, or pipeline-bot after 2026-05-17
  • New GitHub user accounts with randomized 8-character usernames added as collaborators or who pushed to forks

Affected packages (10)

  • npm@tiledesk/tiledesk-server
    2.18.62.18.72.18.82.18.92.18.102.18.112.18.12
  • GitHub Actionstiledesk/tiledesk-ai
  • GitHub Actionstiledesk/tiledesk-campaign-dashboard
  • GitHub Actionstiledesk/tiledesk-community-app
  • GitHub Actionstiledesk/tiledesk-dashboard
  • GitHub Actionstiledesk/tiledesk-docker-proxy
  • GitHub Actionstiledesk/tiledesk-helpcenter-template
  • GitHub Actionstiledesk/tiledesk-llm
  • GitHub Actionstiledesk/tiledesk-server
  • GitHub Actionstiledesk/tiledesk-telegram-connector

Impact

  • Mass GitHub Actions workflow injection across 5,561 public repositories — every push and pull_request triggers the malicious SysDiag workflow on the next CI run
  • Targeted Optimize-Build variant replaces existing workflows with workflow_dispatch triggers, creating dormant backdoors the attacker can fire on demand via the GitHub API
  • Exfiltrates CI secrets, AWS / GCP / Azure cloud credentials, SSH keys, GitHub Actions OIDC tokens, GITHUB_TOKEN, and any source-code secrets reachable from the runner
  • C2 endpoint is a single attacker-controlled IP: 216.126.225.129:8443 — encrypted base64-encoded bash payloads POST exfil envelopes there
  • @tiledesk/tiledesk-server 2.18.6 through 2.18.12 carries the workflow in the published npm tarball — anyone who installed those versions exposed their CI environment
  • Forged author identities build-bot, auto-ci, ci-bot, pipeline-bot and randomized 8-character throwaway GitHub accounts make the commits look like routine bot activity
  • Eight other Tiledesk repos were also poisoned (tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dashboard, tiledesk-helpcenter-template, tiledesk-ai) — even if a downstream consumer does not use the npm package they may pull from one of those source trees

What to do

  1. 1Audit .github/workflows/ in every repo for any unexpected workflow file added on 2026-05-18 between 11:36 and 17:48 UTC — especially files named sysdiag.yml, optimize-build.yml, or any workflow containing a base64-encoded bash payload
  2. 2Revert any malicious workflow commits and force-push the cleaned history; rotate any secret reachable from a runner that executed an affected workflow
  3. 3Pin @tiledesk/tiledesk-server to 2.18.5 or earlier, or to 2.18.13+ once a clean release is published; do not install 2.18.6, 2.18.7, 2.18.8, 2.18.9, 2.18.10, 2.18.11, or 2.18.12
  4. 4Block outbound network traffic to 216.126.225.129 and the entire /24 at egress; alert on any historical connection to that IP from build hosts
  5. 5Search GitHub Audit Log for commits authored by build-bot, auto-ci, ci-bot, or pipeline-bot since 2026-05-18, and for any new GitHub user with a randomized 8-character username added as a collaborator or who pushed to a fork
  6. 6Rotate every CI secret, cloud credential, SSH key, and OIDC token used by any build runner that executed an affected workflow — assume full credential exposure
  7. 7Search npm publish history for unexpected releases between 2026-05-18 and the date the relevant token was rotated — Tiledesk is the confirmed example but any maintainer who released from a poisoned repo carries the same risk

References

multi-2026-05-18-megalodon-tiledesk