Megalodon: automated CI/CD workflow injection backdoors 5,561 GitHub repos, propagates to @tiledesk/tiledesk-server on npm
On 2026-05-18 an automated campaign nicknamed Megalodon pushed 5,718 commits to 5,561 public GitHub repos in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets to 216.126.225.129:8443. The legitimate Tiledesk maintainer then released @tiledesk/tiledesk-server 2.18.6–2.18.12 from the poisoned source — propagating the backdoor to every downstream npm install.
- Threat actor
- TeamPCP (tentative)
- Detected by
- SafeDep · StepSecurity · GitGuardian
- Also known as
- Megalodon · SysDiag · Optimize-Build
- Ecosystems
- GitHub Actionsnpm
- Packages tracked
- 10
What happened
Between 11:36 UTC and 17:48 UTC on 2026-05-18, an automated attacker codenamed Megalodon (SafeDep, 2026-05-22) pushed 5,718 malicious commits to 5,561 distinct public GitHub repositories inside a six-hour window. Each commit added or replaced a GitHub Actions workflow file containing a base64-encoded bash payload; the payload runs on the next CI execution and exfiltrates CI secrets, cloud credentials, SSH keys, OIDC tokens, and source-code secrets to a single C2 endpoint at 216.126.225.129:8443.
Two variants
The campaign deployed two distinct workflow patterns. SysDiag is the mass variant: it adds a new workflow that triggers on every push and pull_request, maximizing the chance of automatic execution the moment the affected repo runs CI again. Optimize-Build is the targeted variant: it overwrites an existing legitimate workflow with a workflow_dispatch trigger, creating a dormant backdoor the attacker can fire on demand through the GitHub API. The targeted variant is what hit Tiledesk.
The attacker authored each commit with one of four forged identities — build-bot, auto-ci, ci-bot, pipeline-bot — committed from randomized 8-character throwaway GitHub accounts, so the commits look like routine CI automation in a glance at the repository commit graph.
Tiledesk: from GitHub backdoor to npm tarball
The most consequential downstream effect of Megalodon was at Tiledesk, the open-source AI agent platform. On 2026-05-18 the Optimize-Build payload landed in nine Tiledesk repos: tiledesk-server, tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dashboard, tiledesk-helpcenter-template, and tiledesk-ai. The Tiledesk maintainer (npm user eljohnny) — unaware of the compromise — then released @tiledesk/tiledesk-server 2.18.6 on 2026-05-19, followed by 2.18.7, 2.18.8, 2.18.9, 2.18.10, 2.18.11, and finally 2.18.12 on 2026-05-21, all built from the poisoned source. The published npm tarball includes the malicious .github/workflows/docker-community-worker-push-latest.yml, so any consumer that runs CI against the package source ends up executing the backdoor.
Diffing 2.18.12 against the clean 2.18.5 shows exactly one changed file — the workflow yml. The npm publishing account itself was never compromised; this is the same trust-chain failure that hit the SAP @cap-js and Red Hat / Miasma campaigns earlier in 2026 — the source repository, not the publish token, is the weak link.
Attribution
SafeDep and Help Net Security tentatively link Megalodon to TeamPCP, the same threat actor responsible for the 2026-05-11 TanStack burst (@tanstack/*, @uipath/*, @mistralai/*), the 2026-06-01 Miasma compromise of @redhat-cloud-services, the March 2026 LiteLLM PyPI compromise, and the March 2026 Trivy / Checkmarx KICS GitHub Action cascade. The Mini Shai-Hulud–style mass automation, the build-bot-style forged identities, and the focus on CI/CD trust-chain abuse all fit the TeamPCP TTP profile, though SafeDep emphasises attribution remains "tentative" pending IOC overlap with prior campaigns.
What you can hunt for
- Workflow yml files added or modified on 2026-05-18 between 11:36 and 17:48 UTC, especially ones containing a long base64-encoded bash command
- Outbound HTTPS connections from any runner to
216.126.225.129:8443 - Commits authored by
build-bot,auto-ci,ci-bot, orpipeline-botafter 2026-05-17 - New GitHub user accounts with randomized 8-character usernames added as collaborators or who pushed to forks
Affected packages (10)
- npm
@tiledesk/tiledesk-server2.18.62.18.72.18.82.18.92.18.102.18.112.18.12 - GitHub Actions
tiledesk/tiledesk-ai - GitHub Actions
tiledesk/tiledesk-campaign-dashboard - GitHub Actions
tiledesk/tiledesk-community-app - GitHub Actions
tiledesk/tiledesk-dashboard - GitHub Actions
tiledesk/tiledesk-docker-proxy - GitHub Actions
tiledesk/tiledesk-helpcenter-template - GitHub Actions
tiledesk/tiledesk-llm - GitHub Actions
tiledesk/tiledesk-server - GitHub Actions
tiledesk/tiledesk-telegram-connector
Impact
- Mass GitHub Actions workflow injection across 5,561 public repositories — every
pushandpull_requesttriggers the maliciousSysDiagworkflow on the next CI run - Targeted
Optimize-Buildvariant replaces existing workflows withworkflow_dispatchtriggers, creating dormant backdoors the attacker can fire on demand via the GitHub API - Exfiltrates CI secrets, AWS / GCP / Azure cloud credentials, SSH keys, GitHub Actions OIDC tokens,
GITHUB_TOKEN, and any source-code secrets reachable from the runner - C2 endpoint is a single attacker-controlled IP:
216.126.225.129:8443— encrypted base64-encoded bash payloads POST exfil envelopes there @tiledesk/tiledesk-server2.18.6 through 2.18.12 carries the workflow in the published npm tarball — anyone who installed those versions exposed their CI environment- Forged author identities
build-bot,auto-ci,ci-bot,pipeline-botand randomized 8-character throwaway GitHub accounts make the commits look like routine bot activity - Eight other Tiledesk repos were also poisoned (
tiledesk-dashboard,tiledesk-telegram-connector,tiledesk-llm,tiledesk-docker-proxy,tiledesk-community-app,tiledesk-campaign-dashboard,tiledesk-helpcenter-template,tiledesk-ai) — even if a downstream consumer does not use the npm package they may pull from one of those source trees
What to do
- 1Audit
.github/workflows/in every repo for any unexpected workflow file added on 2026-05-18 between 11:36 and 17:48 UTC — especially files namedsysdiag.yml,optimize-build.yml, or any workflow containing a base64-encoded bash payload - 2Revert any malicious workflow commits and force-push the cleaned history; rotate any secret reachable from a runner that executed an affected workflow
- 3Pin
@tiledesk/tiledesk-serverto 2.18.5 or earlier, or to 2.18.13+ once a clean release is published; do not install 2.18.6, 2.18.7, 2.18.8, 2.18.9, 2.18.10, 2.18.11, or 2.18.12 - 4Block outbound network traffic to
216.126.225.129and the entire/24at egress; alert on any historical connection to that IP from build hosts - 5Search GitHub Audit Log for commits authored by
build-bot,auto-ci,ci-bot, orpipeline-botsince 2026-05-18, and for any new GitHub user with a randomized 8-character username added as a collaborator or who pushed to a fork - 6Rotate every CI secret, cloud credential, SSH key, and OIDC token used by any build runner that executed an affected workflow — assume full credential exposure
- 7Search npm publish history for unexpected releases between 2026-05-18 and the date the relevant token was rotated — Tiledesk is the confirmed example but any maintainer who released from a poisoned repo carries the same risk
References
- SafeDepMegalodon: Mass GitHub Repo Backdooring via CI Workflowssafedep.io
- The Hacker NewsMegalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflowsthehackernews.com
- StepSecurityMegalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositoriesstepsecurity.io
- SecurityWeekOver 5,500 GitHub Repositories Infected in 'Megalodon' Supply Chain Attacksecurityweek.com
- The RegisterMegalodon chums the waters in 5.5K+ GitHub repo poisoningstheregister.com
- Dark Reading'Megalodon' Malware Infects Thousands of GitHub Reposdarkreading.com
- GitGuardianFour Credential-Harvesting Campaigns Hit Open Source Ecosystems in Two Weeksblog.gitguardian.com
- npm@tiledesk/tiledesk-server on npmnpmjs.com