Megalodon — Mass GitHub CI/CD Supply Chain Attack Hits 5,561 Repos
AI relevance: AI teams rely on the same CI/CD pipelines and npm packages targeted by this campaign — compromising a build pipeline is a fast route to poisoning model-serving infrastructure or exfiltrating LLM provider API keys.
What Happened
SafeDep disclosed "Megalodon", a coordinated supply-chain campaign that pushed 5,718 malicious commits to 5,561 GitHub repositories on May 18 in a six-hour window. The attacker used throwaway accounts with forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot) and injected GitHub Actions workflows containing base64-encoded bash payloads.
Key Findings
- Two payload variants were observed: "SysDiag" (mass variant, triggers on every push/PR) and "Optimize-Build" (targeted, activates only on
workflow_dispatch). - The malware harvests AWS credentials, GCP access tokens, Azure IMDS tokens, SSH private keys, Docker/Kubernetes configs, Vault tokens, Terraform credentials, shell history, and 30+ secret regex patterns.
- Exfiltrated data is sent to a C2 server at 216.126.225.129:8443.
- Confirmed affected package
@tiledesk/tiledesk-serveruses the targeted variant to compromise CI runners rather than end-user installs. - Hudson Rock traced the campaign's origin to information-stealer infections that harvested GitHub credentials before the attacker rotated through throwaway accounts.
Why It Matters
Megalodon demonstrates that CI/CD compromise is no longer targeted — it's industrialized. AI teams using npm, Python, or Go packages from GitHub are exposed by default. Once a malicious workflow is merged, it runs inside the victim's own CI environment with access to secrets that can include model-provider API keys, cloud infrastructure credentials, and deployment tokens. The attack chain — info-stealer → stolen GitHub PAT → mass malicious commits → secret exfiltration — is reproducible and already being replicated by other threat actors.
What To Do
- Audit your repositories for unexpected GitHub Actions workflow files, especially those added around May 18 with author names like build-bot, auto-ci, ci-bot, or pipeline-bot.
- Rotate all CI/CD secrets, cloud credentials, and API keys for repos that received commits during the campaign window.
- Require branch protection rules and CODEOWNERS review for any workflow file changes.
- Block
workflow_dispatchtriggers on repos that don't explicitly need them. - Use Perplexity's newly open-sourced Bumblebee scanner to inventory developer endpoints for compromised packages.