Cybersecurity researchers have revealed details of a new automated campaign called Megalodon that pushed 5,718 malicious commits to 5,561 GitHub repositories within six hours.
“The attacker used a one-time-use account and forged author IDs (build-bot, auto-ci, ci-bot, pipeline-bot) to inject a GitHub Actions workflow containing a base64-encoded bash payload, exfiltrating CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225.[.]129:8443,” Safedepp said in the report.
The complete list of data collected by the malware is below.
CI environment variables, /proc/*/environ, and PID 1 Environment Amazon Web Services (AWS) credentials Google Cloud access token Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints SSH private keys Docker and Kubernetes configuration Vault tokens Terraform credentials Shell history API Cloud tokens matching keys, database connection strings, JWTs, PEM private keys, and over 30 secret regex patterns GitHub Actions OIDC tokens Request URLs and tokens GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens .env files, credentials.json, service-account.json, and other configuration files
One of the affected packages is @tiledesk/tiledesk-server, which bundles Base64-encoded bash payloads inside GitHub Actions workflow files. Between 11:36 AM and 5:48 PM UTC on May 18, 2026, a total of 5,718 commits were pushed to 5,561 separate repositories.
“The attackers rotated four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance,” SafeDep said. “The attackers used disposable GitHub accounts with random eight-character usernames (rkb8el9r, bhlru9nr, lo6wt4t6, etc.), configured git config to forge author IDs, and pushed through compromised PATs or deployment keys.”
Two payload variants have been observed as part of a larger campaign. SysDiag is a bulk variant that adds a new workflow that is triggered on every push and pull request, and Optimize-Build is a targeted variant that only activates on workflow_dispatch, a GitHub Actions trigger that allows users to manually run workflows on demand. For Tiledesk, a targeted approach is used to target the CI/CD runner rather than when installing npm packages.
“The tradeoff is that reach:on:push guarantees execution on every commit to master, reaching more targets without intervention,” SafeDep added. “Workflow_dispatch sacrifices operational security. With over 5,700 repositories compromised, even a fraction of usable GITHUB_TOKENs gives attackers enough targets to trigger on demand.”
As a result, when repository owners merge commits, malware is executed within the CI/CD pipeline and spreads further, enabling large-scale credential and sensitive information theft.
“We have entered a new era of supply chain attacks, and TeamPCP’s GitHub breach is just the beginning,” said Moshe Siman Tov Bustan of OX Security. “What comes next is a never-ending wave, a tsunami of cyberattacks on developers around the world.”
The development comes as TeamPCP is weaponizing its interlinked software supply chain to destroy hundreds of open source tools, infiltrate several ecosystems, and in some cases extort profits from victims. Microsoft-owned GitHub is the latest addition to a long list of victims of groups including TanStack, Grafana Labs, OpenAI, and Mistral AI.
TeamPCP attacks facilitate the cyclical exploitation of popular open source projects, with one breach influencing the next, allowing malware to spread like wildfire in a worm-like manner. The group also appears to be financially motivated, establishing partnerships with BreachForums and other extortion groups such as LAPSUS$ and VECT.
Additionally, the group appears to have geopolitical motivations, as evidenced by the Wiper malware being deployed when it detects machines in Iran and Israel.
In the aftermath of the TeamPCP attack spree and the Mini Shai-Hulud worm, npm is now disabling advanced access tokens with write access that bypass two-factor authentication (2FA). NPM also encourages users to switch to trusted issuance to reduce dependence on such tokens.
“By burning all bypass 2FA tokens on the platform, npm blocks the credentials the worm has already collected,” said application security firm Socket. “The administrator will issue a new one. The worm is still active in the wild and will return to harvest. The reset will gain breathing space. The underlying hole will not close.”
Activity clusters such as Megalodon and TeamPCP compromise legitimate packages to distribute malware. In contrast, a single-use account named “polymarketdev” was found to publish nine malicious npm packages impersonating the Polymarket trading CLI tool within 30 seconds and steal victims’ Ethereum/Polygon private keys via a post-install hook.
At the time of writing, these are still available for download from npm. The name of the package is as follows –
Polymarket-trading-clipolymarket-terminalpolymarket-tradepolymarket-auto-tradepolymarket-copy-tradingpolymarket-botpolymarket-claude-codepolymarket-ai-agentpolymarket-trader
“During installation, the post-installation script displays a fake wallet onboarding prompt asking the user to paste their private key, claiming that it ‘remains encrypted,'” Safedepp said. “The script POSTs the raw key in clear text to the Cloudflare worker at hxxps://polymarketbot.polymarketdev.workers.[.]dev/v1/wallet/key. ”
“The attackers have built a functional trading CLI around a credential theft operation. The attack is carried out through social engineering. Post-installation prompts look like standard wallet onboarding, masking mimics secure input, and GitHub repositories provide a false sense of trust.”
Source link
