Megalodon turned GitHub Actions into a 5,561-repo backdoor in six hours

An automated campaign pushed 5,718 commits to 5,561 GitHub repositories in six hours on a single Monday in May. The commits looked like CI maintenance (“ci: add build optimization step,” “build: improve ci performance,” “chore: optimize pipeline runtime”) and they came from authors with banal names: build-bot, auto-ci, pipeline-bot. By the time the morning of May 18 was over, every one of those repositories had a workflow file with a base64-encoded bash payload sitting inside it.

The campaign is called Megalodon. SafeDep’s research team disclosed it on May 21 after pulling apart the commits and following the artifact trail to a single command-and-control server at 216.126.225.129:8443. The interesting part is not that GitHub got attacked. The interesting part is that the attacker did not need to compromise GitHub at all. They used GitHub Actions, the CI/CD system designed to enforce code integrity, as the delivery vehicle for the backdoor.

Two workflows, one mass, one dormant

Megalodon ran in two modes. The mass variant added a fresh workflow file called SysDiag that fired on every push and every pull request, harvesting whatever ran through it. The targeted variant, Optimize-Build, did something more patient: it replaced an existing workflow with a workflow_dispatch trigger, which lies dormant until someone manually invokes it. A dormant backdoor in a project’s CI directory is much harder to notice than a new workflow named SysDiag, because most maintainers do not audit a file they themselves once wrote.

Once the workflow runs, the payload reads everything it can reach inside the CI environment. CI environment variables. AWS access keys, secret keys, session tokens. GCP access tokens. SSH private keys. .npmrc credentials. Docker configs. Kubernetes configs. GitHub Actions OIDC tokens, which let the attacker impersonate the workflow itself to whatever cloud account it was authorized for. Before exiting, the payload greps the repository source for more than thirty distinct secret patterns (API keys, passwords, certificate fragments) in case any human had pasted one in. AWS IMDSv2, GCP metadata, and Azure metadata endpoints are queried for cloud machine identity.

A pipeline that ships its own backdoor

The most consequential casualty so far is Tiledesk, an open-source customer-engagement platform whose nine GitHub repositories were hit. Between May 19 and May 21, Tiledesk shipped its tiledesk-server package to npm with the backdoor compiled in. Versions 2.18.6 through 2.18.12 of @tiledesk/tiledesk-server now carry payload code installed by every downstream developer who ran npm install during that window. That is the leverage Megalodon was built for: backdooring one open-source project so its release pipeline backdoors hundreds of dependent ones.

Black-Iron-Project took eight repositories. Hundreds of smaller projects (solo developer accounts, university clusters, abandoned sandboxes) took one or two each. The attacker did not appear to care which repos got hit. The pattern was breadth over precision, throwaway accounts with random eight-character usernames pushing identical commit messages from minute to minute. The C2 server quietly recorded what came back.

Why CI files survived the audit

The reason this attack worked is the reason it is the kind of attack to watch for the rest of 2026. CI/CD pipelines are trusted by design. A developer who is suspicious of a strange binary in a download will happily run a workflow file that arrived in their repository last week, because that is what workflow files are: code that runs because the platform is supposed to run it. Audit logs exist, but most teams do not read them. The new commits arrive under names like build-bot and ci-bot. The diffs are small. The base64 string at the bottom of the workflow is opaque on purpose.

The defensive playbook is straightforward and unsatisfying. Rotate every secret that touched a repository between May 18 and now. Audit the .github/workflows directory of every project under management. Inspect commits whose author email does not match a known team member. Treat any base64 blob inside an Actions file as guilty until decoded. Organizations using Tiledesk should downgrade to 2.18.5 or wait for a clean release. Anyone with OIDC trust between Actions and a cloud provider should revoke and re-issue the trust relationship.

Megalodon is the first campaign at this scale that treats the CI workflow itself as the soft target. It will not be the last. The lesson the attack delivers is one developers have heard before in a quieter form: the part of the pipeline you do not read is the part the attacker writes for you.