Cybersecurity experts have uncovered a massive automated attack named Megalodon, which flooded GitHub with 5,718 harmful commits across 5,561 repositories in just six hours.
According to a report by SafeDep, the attacker used temporary accounts and fake developer identities—such as build-bot, auto-ci, ci-bot, and pipeline-bot—to insert GitHub Actions workflows. These workflows contained base64-encoded bash scripts designed to steal sensitive data—including CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code—and send it to a command-and-control server at 216.126.225[.]129:8443.
Here’s a breakdown of what the malware harvested:
- Environment variables from CI systems, /proc/*/environ, and PID 1 environment
- Amazon Web Services (AWS) credentials
- Google Cloud access tokens
- Instance role credentials pulled from AWS IMDSv2, Google Cloud metadata, and Microsoft Azure IMDS endpoints
- SSH private keys
- Docker and Kubernetes config files
- Vault tokens
- Terraform credentials
- Shell command history
- API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching over 30 secret patterns
- GitHub Actions OIDC token request URL and token
- GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
- .env files, credentials.json, service-account.json, and similar configuration files
One compromised package, @tiledesk/tiledesk-server, embedded a Base64-encoded bash payload directly in its GitHub Actions workflow. All 5,718 malicious commits were pushed between 11:36 a.m. and 5:48 p.m. UTC on May 18, 2026, targeting 5,561 unique repositories.
The attacker cycled through four author names—build-bot, auto-ci, ci-bot, pipeline-bot—and seven different commit messages, all disguised as routine CI updates. They used disposable GitHub accounts with random 8-character usernames (like rkb8el9r or bhlru9nr), altered git settings to spoof identities, and pushed changes using stolen personal access tokens (PATs) or deploy keys.
Two main payload types were identified: SysDiag, a broad variant that triggers on every push or pull request, and Optimize-Build, a targeted version activated only when manually triggered via GitHub Actions’ workflow_dispatch. In Tiledesk’s case, the latter was used—meaning it runs only when a maintainer manually starts it, not when the npm package is installed.
As SafeDep explained: “A trigger like `on: push` would guarantee execution on every commit to main, maximizing reach. But `workflow_dispatch` trades that for stealth. With over 5,700 repos compromised, even a small percentage yielding a valid GITHUB_TOKEN gives plenty of targets for manual triggering.”
Once a developer merges the malicious commit, the malware activates inside their CI/CD pipeline, spreads further, and enables large-scale theft of secrets and credentials.
“We’re now in a new era of supply chain attacks,” said Moshe Siman Tov Bustan of OX Security. “TeamPCP hitting GitHub was just the start. What follows will be relentless—like a tsunami—of cyberattacks targeting developers globally.”
This wave comes as TeamPCP exploits interconnected software supply chains to hijack open-source projects, infiltrating multiple ecosystems and, in some cases, extorting victims for money. Microsoft-owned GitHub is now among its victims, joining TanStack, Grafana Labs, OpenAI, and Mistral AI.
TeamPCP’s operations follow a self-reinforcing cycle: one compromise leads to the next, allowing malware to spread rapidly like a worm. The group appears financially motivated and has ties to BreachForums and hacking collectives such as LAPSUS$ and VECT.
Notably, the group also shows signs of geopolitical intent—deploying wiper malware on machines detected in Iran and Israel.
In response to these threats—including the recent Mini Shai-Hulud worm—npm has revoked all granular access tokens that bypass two-factor authentication (2FA) with write permissions. Developers are encouraged to adopt Trusted Publishing to minimize reliance on such tokens.
“Resetting all bypass-2FA tokens cuts off credentials the worm already stole,” explained application security firm Socket. “Maintainers get new tokens, but the worm remains active and may harvest them again. The reset buys time—but doesn’t fix the root vulnerability.”
Unlike Megalodon and TeamPCP, which hijack legitimate packages, another fake account—’polymarketdev’—published nine malicious npm packages impersonating official Polymarket trading CLI tools—all within 30 seconds. These packages use a postinstall script to steal Ethereum and Polygon private keys.
As of now, these packages remain downloadable on npm:
- polymarket-trading-cli
- polymarket-terminal
- polymarket-trade
- polymarket-auto-trade
- polymarket-copy-trading
- polymarket-bot
- polymarket-claude-code
- polymarket-ai-agent
- polymarket-trader
“When installed, a postinstall script shows a fake wallet setup screen that asks users to paste their private key, claiming it’s encrypted,” said SafeDep. “In reality, the raw key is sent in plain text to a Cloudflare Worker endpoint at hxxps://polymarketbot.polymarketdev.workers[.]dev/v1/wallets/keys.”
“The attacker built a full-featured trading CLI around a credential theft operation. The attack relies on social engineering: the postinstall prompt looks like normal wallet onboarding, input masking mimics secure entry, and the associated GitHub repo adds false legitimacy.”
