In a significant incident reported by cybersecurity experts at SafeDep, a large-scale automated attack targeted the GitHub software platform, affecting 5,561 repositories. Dubbed “Megalodon,” this campaign was able to push 5,718 fraudulent code updates within a rapid six-hour timeframe on May 18, 2026. SafeDep identified this threat through its digital scanning tool, Malysis, which detected concealed malicious scripts embedded within seemingly legitimate files.
To obscure their identity, the attackers created fake GitHub accounts, utilizing random eight-character names. They manipulated their system settings to masquerade as official automated services, employing deceptive sender aliases such as build-bot, auto-ci, ci-bot, and pipeline-bot.
This attack coincided with a breach announced by the TeamPCP hacking group, which had exploited a compromised device belonging to a GitHub employee, infiltrating 3,800 repositories through a malicious Visual Studio Code extension. This series of events underscores a troubling trend: developers are becoming prime targets for cybercriminals.
Hidden Backdoors in System Files
SafeDep’s blog detailed that the attackers employed two primary automated coding strategies. One of these techniques, known as SysDiag, introduces a file identified as .github/workflows/ci.yml, triggering a data-exfiltration script every time a developer conducts a project update.
The second method, termed Optimize-Build, operates more discreetly by replacing existing system files and employing the command workflow_dispatch to keep its malicious code dormant, thereby averting any alerts related to failed builds. The attackers retained the capability to activate this backdoor at their discretion by sending signals via the GitHub API.
One significant casualty of this campaign was Tiledesk, a widely-utilized live chat and chatbot service. Reports indicate that hackers compromised nine areas of Tiledesk’s GitHub codebase. The main developer, unaware that their files had been compromised, inadvertently released seven infected versions of their product, named @tiledesk/tiledesk-server, across public npm package registries between May 19 and May 21, 2026.
A Hunt for Private Cloud Keys
Once activated, the hidden script establishes a terminal window to execute a decoded 111-line background program, which then extracts and transfers internal files and data to a command-and-control (C2) server at 216.126.225.129:8443.
This malware is designed to pilfer credentials from leading cloud services, including Amazon Web Services, Google Cloud, and Microsoft Azure. It scours for system logs, digital histories, and code repositories to uncover 30 varieties of private passwords, database connections, and secret keys.
According to SafeDep, a more concerning implication of this attack is the potential for hackers to seize special verification tokens, enabling them to impersonate legitimate GitHub Actions workflows. This capability grants hackers the ability to manipulate linked cloud environments, posing as authorized users.
SafeDep has cautioned developers who experienced unusual code updates from email sources like build-[email protected] or [email protected] on May 18, to revoke these changes immediately and update their cloud credentials to mitigate any potential threats.