{"id":8272,"date":"2026-05-26T14:02:09","date_gmt":"2026-05-26T14:02:09","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8272"},"modified":"2026-05-26T14:02:09","modified_gmt":"2026-05-26T14:02:09","slug":"github-actions-abused-by-megalodon-attack-to-slip-malicious-commits-into-5500-repos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8272","title":{"rendered":"GitHub Actions abused by Megalodon attack to slip malicious commits into 5,500 repos"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A large-scale automated GitHub backdooring campaign was caught pushing thousands of malicious commits into public repositories while posing as routine CI\/CD upkeep.<\/p>\n<p>Researchers at SafeDep observed the campaign, Megalodon, touching more than five thousand repositories over a six-hour window on May 18. The attack was in the form of a malicious commit, \u201cacac5a9,\u201d targeting GitHub Actions workflows.<\/p>\n<p>Unexpected workflow_dispatch runs in the Actions tab could be a warning sign, the researchers said in a <a href=\"https:\/\/safedep.io\/megalodon-mass-github-repo-backdooring-ci-workflows\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a>. \u201cIf you use OIDC federation for cloud deployments, review cloud audit logs for token requests from unknown workflow runs.\u201d<\/p>\n<p>The malicious commits were seen modifying Github Actions workflows to include base64-encoded bash payloads designed to steal secrets exposed during CI execution, including cloud credentials, SSH keys, OpenID Connect (OIDC) tokens, source code secrets, and other environment variables.<\/p>\n<p>Among the hardest-hit projects were Wiznet\u2019s ioLibrary_Driver repository, four Tiledesk repositories, and four persian-tools repositories, with well over 2,000 malicious commits between them.<\/p>\n<p>A later <a href=\"https:\/\/www.ox.security\/blog\/megalodon-cicd-malware-github\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a> by OX Security flagged some similarities to the widespread <a href=\"https:\/\/www.csoonline.com\/article\/4170284\/mistral-ai-sdk-tanstack-router-hit-in-npm-software-supply-chain-attack.html\">TeamPCP compromises<\/a>, particularly the use of hardcoded historical commit dates. This was a trick used in TeamPCP-linked operations to hide the true timing of malicious activity.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>An automated attack with compromised keys<\/h2>\n<p>SafeDep\u2019s researchers said the Megalodon campaign pushed 5,718 malicious commits across 5,561 public GitHub repositories within roughly six hours, primarily by abusing compromised credentials to directly modify GitHub Actions workflows.<\/p>\n<p>It detected the campaign while investigating a Tiledesk GitHub Actions workflow file hiding the base64-encoded bash payload.<\/p>\n<p>\u201cVersions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor,\u201d the researchers had concluded after preliminary investigation.<\/p>\n<p>Further comparison of the culprit Tiledesk versions with their legitimate predecessors led the researchers to a malicious commit . \u201cThe malicious commit landed on May 18, 2026, authored by build-bot &lt;build-system@noreply.dev&gt; with the message \u2018ci: add build optimization step\u2019,\u201d they said. \u201cThe author name and generic noreply email mimic automated CI commits.\u201d<\/p>\n<p>The commit was pushed without a pull request (PR) or a merge commit, which the researchers said was done using a compromised <a href=\"https:\/\/www.csoonline.com\/article\/4103717\/github-action-secrets-arent-secret-anymore-exposed-pats-now-a-direct-path-into-cloud-environments-2.html\" target=\"_blank\" rel=\"noopener\">Personal Access Token<\/a> (PAT) or deploy key. They warned the malicious commit remained active on the \u201cmaster branch\u201d at the time of publishing the disclosure.<\/p>\n<p>Besides \u201cbuild-bot\u201d, the campaign also relied on other forged author identities such as \u201cauto-ci\u201d and \u201cci-bot.\u201d<\/p>\n<p><a><\/a>The campaign pushed out two payload variants. The first, \u201cSysDiag,\u201d embedded obfuscated bash payloads directly into workflows, triggering automatically on every push or PR, while the second, \u201cOptimize-Build,\u201d followed a staged approach using \u2018workflow_dispatch\u201d to execute the malicious workflow only when needed. The latter, used in the Tiledesk compromise, proved operationally noisy and left detectable traces.<\/p>\n<p>Both variants targeted sensitive CI secrets including AWS and GCP credentials, SSH keys, Kubernetes configs, GitHub OIDC tokens, source code secrets, and shell history. They exfiltrated stolen secrets to attacker-controlled infrastructure at 216.126.225.129:8443.<\/p>\n<p>SafeDep shared a list of indicators of compromise (IOCs) including the C2 domain, campaign signature, author names and emails, commit messages, and the names of the compromised GitHub repositories to aid in detection and clean-up.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A large-scale automated GitHub backdooring campaign was caught pushing thousands of malicious commits into public repositories while posing as routine CI\/CD upkeep. Researchers at SafeDep observed the campaign, Megalodon, touching more than five thousand repositories over a six-hour window on May 18. The attack was in the form of a malicious commit, \u201cacac5a9,\u201d targeting GitHub [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8273,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8272"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8272"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8272\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8273"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}