Megalodon infects 5,561 GitHub repos to steal CI secrets

On May 18, 2026, security researchers reported that an automated campaign named Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories between 11:36 a.m. and 5:48 p.m. UTC. The commits added GitHub Actions workflow files that contained base64-encoded bash payloads which send harvested data to a command-and-control server at 216.126.225[.]129:8443.

The attacker used throwaway GitHub accounts with random eight-character usernames and forged author names such as build-bot, auto-ci, ci-bot and pipeline-bot. Commits were pushed using compromised personal access tokens or deploy keys and reused seven commit messages crafted to look like routine CI maintenance.

The injected workflows collect a wide range of sensitive data. Collected items include CI environment variables, /proc and PID 1 environment data, AWS and Google Cloud tokens, instance role credentials obtained from cloud metadata services, SSH private keys, Docker and Kubernetes configuration, Vault and Terraform credentials, shell history, API keys, database connection strings, JWTs, PEM private keys, GitHub Actions OIDC tokens and GITHUB_TOKEN, plus other CI platform tokens and configuration files such as .env and service-account.json.

Researchers observed two payload variants. The SysDiag variant adds a workflow triggered on every push and pull request so it executes automatically. The Optimize-Build variant triggers only on workflow_dispatch, which requires a user to run the workflow manually; that targeted approach was used in at least one package, @tiledesk/tiledesk-server, to focus on compromising CI/CD runners rather than end-user installs.

When repository maintainers merge the malicious commits, the payload runs inside their CI/CD pipelines. Executing inside runners can expose credentials and provide attackers a path to access linked cloud resources and infrastructure. The campaign moved across thousands of repositories in hours, enabling automated harvesting of secrets at scale.

Observers linked the activity to broader supply-chain abuse associated with an actor known as TeamPCP, which has previously compromised multiple open-source projects and commercial tools. Earlier operations attributed to the group combined code compromise, worm-like propagation and extortion. Some incidents included deployment of wiper malware on machines identified as located in Iran and Israel. The actor has been reported to operate with forum and extortion crews, including groups tied to LAPSUS$ and VECT.

Separately, a throwaway account publishing as polymarketdev uploaded nine npm packages impersonating Polymarket trading CLI tools. Those packages included postinstall hooks that display a fake wallet onboarding prompt and request users paste private keys; the hooks then POST the keys in plaintext to a Cloudflare Worker endpoint. At the time researchers reported the activity, the packages remained available for download from npm.

In response to recent credential-theft incidents, npm invalidated granular access tokens that bypass two-factor authentication and urged maintainers to adopt Trusted Publishing. Application security firms described the token invalidation as a defensive reset that removes tokens the malware could reuse while noting it does not fix the vulnerabilities that allowed credential theft and token abuse.

Researchers continue to scan for further malicious commits and recommend repository owners audit recent workflow changes, rotate exposed credentials and review deploy keys and personal access tokens for signs of compromise. Moshe Siman Tov Bustan of OX Security warned, ‘What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide.’