[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fD6pZ3w8Zu71UteEY0c78_HEUOB65lGIc_xahsa9vNZI":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"19a1e6ec-ed96-4ada-a1eb-a6c306e33d45","5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours","5-561-github-repositories-hit-by-megalodon-supply-chain-attack-in-six-hours-ae8ebc","SafeDep uncovered the Megalodon attack targeting 5,561 GitHub repositories with malicious CI workflows and cloud credential theft.","SafeDep discovered Megalodon, a large-scale automated supply chain attack targeting 5,561 GitHub repositories that pushed 5,718 malicious code updates within six hours on May 18, 2026. The attackers used fake GitHub accounts and injected malicious CI\u002FCD workflows to steal cloud credentials and GitHub Actions tokens, enabling credential theft from AWS, Google Cloud, and Azure. The attack resulted in seven poisoned versions of the Tiledesk npm package being published publicly, demonstrating the downstream impact of compromised repositories.","Megalodon attack compromises 5,561 GitHub repos via malicious CI workflows in six hours.","Security Cyber Attacks5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours SafeDep uncovered the Megalodon attack targeting 5,561 GitHub repositories with malicious CI workflows and cloud credential theft. byDeeba AhmedMay 22, 20262 minute read Cybersecurity firm SafeDep discovered a massive automated attack on the software platform GitHub, targeting 5,561 repositories (software storage locations). Named Megalodon, the campaign pushed 5,718 fake code updates in a short six-hour window on the 18th of May 2026. SafeDep discovered Megalodon using its digital scanning tool, Malysis, which noticed hidden malicious scripts buried inside otherwise clean files. The hackers used fake GitHub accounts with random eight-character names to hide their tracks, and even changed their system settings to appear official automated services, using fake sender identities like build-bot, auto-ci, ci-bot, and pipeline-bot. The attack occurred around the same time TeamPCP hackers announced they had compromised a GitHub employee’s device and breached 3,800 repositories through a malicious VS Code extension, showing that developers are actively being targeted. Hidden Backdoors in System Files According to SafeDep’s blog post, the attackers used two main automated code techniques, one of which is a broad version called SysDiag. It adds a new file named .github\u002Fworkflows\u002Fci.yml that triggers a data-stealing script every time a developer updates their project. Conversely, the second method is sneakier, called Optimize-Build. It replaces existing system files and uses a command called workflow_dispatch to keep the malicious code dormant, preventing failed build alerts or red flags. The hackers can wake up this backdoor at any time by sending a message through the GitHub API. The popular live chat and chatbot service, Tiledesk, was a major victim of this attack. Hackers, reportedly, compromised nine of Tiledesk’s code areas on GitHub. And, since the main developer didn’t realize their files were poisoned, they unintentionally published seven infected versions of their product, called @tiledesk\u002Ftiledesk-server (versions 2.18.6 through 2.18.12), to the public npm package registry between 19 May and 21 May 2026. List of Compromised GitHub Repositories (Source: SafeDep) A Hunt for Private Cloud Keys Once run, this hidden script opens a terminal window and executes a decoded 111-line background program, and then copies internal files and data, which is sent to a hacker-controlled C2 server at 216.126.225.129:8443. The malware steals credentials from major cloud systems like Amazon Web Services, Google Cloud, and Microsoft Azure, and searches for system logs, digital history, and code files to find 30 types of private passwords, database links, and secret digital keys. According to SafeDep, the worst outcome is that hackers can steal special verification tokens to “impersonate the GitHub Actions workflow.” This lets the hackers trick linked cloud environments into thinking they are legitimate users. SafeDep urges any developers who saw strange code updates from emails like build-[email protected] or [email protected] on 18 May to undo the changes and change all their cloud passwords immediately. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityGitHubMalwareMegalodonSafeDepSupply Chain Leave a Reply Cancel reply View Comments (0) Related Posts Security Hacking News Online Casinos DraftKings and BetMGM Hacked; Data of Millions at Risk In BetMGM’s case, hackers are selling data of 1.57 million customers, while data of 68,000 DraftKings customers is also up for grabs. byWaqas Read More Security Cyber Attacks Malware iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot”… byDeeba Ahmed Security Hacking News 911 (911.re) Proxy Service Shuts Down After Confirming Security Breach At the time of writing, the home page of 911 (911.re) Proxy Service was displaying a detailed message… byWaqas Read More Security Cyber Attacks Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings. byWaqas","https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-repositories-megalodon-supply-chain-attack.png","2026-05-22T13:51:21+00:00","2026-05-22T14:00:22.491648+00:00",9,[18,21,24,27,29,31],{"name":19,"type":20},"Megalodon","campaign",{"name":22,"type":23},"SafeDep","vendor",{"name":25,"type":26},"Malysis","product",{"name":28,"type":26},"@tiledesk\u002Ftiledesk-server",{"name":30,"type":23},"Tiledesk",{"name":32,"type":33},"GitHub Actions","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":34,"icon":36,"name":37,"slug":38},null,"Supply Chain","supply-chain",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,59],{"type":44,"value":57,"context":58},"SysDiag","First malicious CI workflow technique that adds .github\u002Fworkflows\u002Fci.yml to steal data",{"type":44,"value":60,"context":61},"Optimize-Build","Second technique replacing system files with dormant backdoors triggered via workflow_dispatch"]