Megalodon Campaign Infects Over 5,500 GitHub Repositories with Malware

Megalodon Campaign Infects Over 5,500 GitHub Repositories with Malware

First seen 26 May 2026, 22:09 UTC CsoonlineDarkreadingsafedep.ioGbhackersBlog.Gitguardian+1 82% similarity 71.0

Article Content

Browse articles
ThreatCluster

On May 18, 2026, an automated cyber campaign named Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories within six hours. The attackers used forged identities and dummy accounts to inject malicious GitHub Actions workflows that exfiltrate CI/CD secrets, cloud credentials, and other sensitive data to a command-and-control server. Two payload variants were deployed: one that adds a new workflow triggered by every push and pull request, and another that replaces existing workflows with dormant backdoors. The npm package @tiledesk/tiledesk-server was notably affected, with compromised versions published between May 19 and May 21. The attack highlights vulnerabilities in the software supply chain, with many repositories still infected weeks later. Researchers believe the attackers leveraged valid credentials obtained from previous supply chain breaches. As of now, the malicious commits remain active on the master branches of affected repositories.

Key Points: • Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours. • Attackers used forged identities to inject malicious workflows that steal sensitive data. • The npm package @tiledesk/tiledesk-server was among the most affected, with backdoored versions published.

ThreatCluster AI

Timeline

2026-05-18
Megalodon campaign launched
5,718 malicious commits were pushed to 5,561 GitHub repositories in a six-hour window, targeting CI/CD workflows.
safedep.io
2026-05-19
Compromised npm package versions published
Versions 2.18.6 through 2.18.12 of @tiledesk/tiledesk-server were published with backdoors.
safedep.io
2026-05-21
SafeDep flags Megalodon campaign
SafeDep published a blog post detailing the Megalodon campaign and its impact on GitHub repositories.
Darkreading
2026-05-26
Current status of infections
Approximately 2,900 repositories remain infected, indicating a significant ongoing threat.
Darkreading

Community

Browse all →