Megalodon Campaign Backdoored 5,561 GitHub Repositories via Poisoned CI/CD Workflows

Megalodon is not an exploit. It is the abuse of the single most routine action in software development — a maintainer merging a plausible-looking change — executed by automation at a scale no human-paced attacker could reach.

TEL AVIV — On May 18, 2026, an automated supply-chain campaign that researchers have codenamed Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a single six-hour window, hiding base64-encoded payloads inside the projects' GitHub Actions workflow files.

The campaign was documented across the May 21-22 coverage cycle by the application-security firm OX Security, by SafeDep, and by The Hacker News. No public reporting has tied Megalodon to a named threat actor.

What Happened

Megalodon executed on May 18, 2026, pushing 5,718 malicious commits across 5,561 GitHub repositories in roughly six hours — a volume and velocity only possible because the operation is automated end to end, with no human selecting targets or pacing commits. Each commit adds or alters a file in a repository's .github/workflows/ directory, the YAML files that define a project's CI/CD automation, and embeds a base64-encoded bash payload inside it. The payload does nothing until a repository owner merges the commit; at that point it executes inside that project's own CI/CD pipeline.

What the payload does once it runs is documented consistently across the OX Security and SafeDep technical research: it scans the repository's source code against more than 30 regex patterns for secrets — API keys, database connection strings, JSON Web Tokens, PEM-encoded private keys, and cloud-provider tokens — and it captures the GitHub Actions OIDC token request URL and token. It then sends what it has collected to a command-and-control server, defanged here as 216.126.225[.]129:8443. To pass as routine activity, the operator forged four commit-author identities — build-bot, auto-ci, ci-bot, and pipeline-bot — and rotated through seven commit messages, all written to read as ordinary CI maintenance.

The Disguise: Four Bots and Seven Commit Messages

Megalodon's payload hides in plain sight, and the disguise lives almost entirely in the commit metadata. Rather than push commits under an obvious or random identity, the operator forged four author names chosen to look like a project's own automation: build-bot, auto-ci, ci-bot, and pipeline-bot. The commits rotate through seven different commit messages, each written to read as unremarkable CI housekeeping. To a maintainer skimming a notification or a pull-request list, a commit from 'build-bot' adjusting a workflow file is exactly the kind of change the eye slides past. That is the design intent: Megalodon is engineered not to be caught at the moment of review.

Two Variants: SysDiag and Optimize-Build

Researchers documented two distinct payload variants. The mass variant, 'SysDiag,' adds an entirely new workflow file configured to trigger on every push and every pull request, maximizing the number of times the payload runs automatically once it is in place. The targeted variant, 'Optimize-Build,' is quieter and arguably more dangerous: instead of adding a workflow, it replaces an existing one and rewrites its trigger to workflow_dispatch — the GitHub Actions trigger that fires only when invoked deliberately through the GitHub API. That converts the compromised workflow into a dormant backdoor that does nothing visible until the operator chooses to fire it. A repository that looks clean today, because nothing has executed, may still be holding an Optimize-Build workflow waiting for its call.

A Third Developer-Supply-Chain Campaign in Two Weeks

Megalodon did not arrive in isolation. It lands in the same two-week window as a cluster of attacks on the developer-trust surface that The CyberSignal has tracked closely: GitHub's confirmation that the actor TeamPCP exfiltrated 3,800 internal repositories through a single poisoned VS Code extension, the Shai-Hulud npm worm now generating valid Sigstore provenance badges for its malicious packages, and the copycat operator who pushed Shai-Hulud clones to npm within a week of the source leaking. It also follows the pull_request_target 'pwn request' abuse that hit Grafana. Read together, these are not coincidences but independent operators arriving, in the same fortnight, at the same conclusion: the developer's toolchain is the softest path into everything downstream of it.

Scope and Impact

The reason Megalodon is more than a noisy commit spray is the OIDC token capture. OIDC tokens are the mechanism by which a CI/CD pipeline proves its identity to a cloud provider, so capturing one can let an attacker impersonate the pipeline's cloud identity rather than merely reusing a static key. A single merged commit can therefore expose not just the repository's stored secrets but the cloud accounts those secrets unlock — which is what turns a workflow-file edit into a potential cloud-environment compromise.

Several things about Megalodon are genuinely not known, and this account does not imply otherwise. Exposure is not the same as compromise: the 5,561 figure counts repositories that received a malicious commit, not repositories whose owners actually merged it, and how many merges occurred — and therefore how many pipelines actually ran the payload — has not been reported. The downstream victim count, whether any widely depended-upon repositories were among those hit, whether GitHub has removed all the malicious commits and notified maintainers, and whether the dormant Optimize-Build workflows have been triggered are all open questions.

What is not in question is the company Megalodon keeps. The campaign lands alongside TeamPCP's source-code extortion auctions, the node-ipc npm packages that hid a stealer behind a dead maintainer's domain, the mass-poisoning that forced RubyGems to suspend new signups, and — days later — the Laravel-Lang compromise that carried the same playbook into PHP and Composer. The registry, the tag, and the workflow file are all under sustained, simultaneous attack; Megalodon is the GitHub Actions front of a much wider campaign.

Response and Attribution

The immediate action for every engineering organization is an audit. Review recent commits to your repositories' .github/workflows/ directories and flag anything authored by build-bot, auto-ci, ci-bot, or pipeline-bot, along with any workflow file added or replaced in the May 17-19 window — looking specifically for workflow files containing base64-encoded bash and for workflows that newly use a workflow_dispatch trigger no one on the team created. If any Megalodon-pattern commit was merged, treat every secret reachable from that pipeline as burned: rotate CI/CD secrets, cloud credentials, and SSH keys, review cloud audit logs for OIDC-token-based identity impersonation, and block outbound traffic from CI runners to 216.126.225[.]129. The structural fix is to treat .github/workflows/ as the highest-trust path in the repository — require review and approval for every change to a workflow file, enforce branch protection and CODEOWNERS on the .github/ directory, pin GitHub Actions to allowlisted versions, and adopt short-lived, tightly scoped OIDC cloud credentials so a captured token is far less useful.

On attribution, the honest position is that there is none. No public reporting ties Megalodon to TeamPCP or to any other named actor, and despite the campaign landing in the same window as TeamPCP's activity, the two should be treated as separate until evidence links them — an assumption of common authorship would be single-sourced speculation, not a finding. For SOC and threat-hunting teams, the Megalodon indicators — the command-and-control IP, the four bot author names, and the base64 workflow-payload pattern — are straightforward to hunt across GitHub organization audit logs, and base64 bash phoning home to a non-standard port (8443) is a detectable egress pattern.

The CyberSignal Analysis

Signal 01 — Megalodon Weaponizes the Merge, Not a Vulnerability

Most supply-chain coverage will lead with the 5,561-repository number, and the scale is genuinely striking. But the more important fact is what Megalodon does not require: a vulnerability. There is no CVE here, no exploit, no flaw in GitHub's code. The campaign works because it abuses a workflow — the single most routine action in software development, a maintainer accepting a plausible-looking change. A commit from 'build-bot' adjusting a CI file is precisely the kind of thing a maintainer merges without a second look, and the moment they do, the payload runs inside their own pipeline. That is a fundamentally different problem from a patchable bug, because you cannot patch the merge. Defending against Megalodon means changing how the highest-trust, least-scrutinized changes in a repository are reviewed — organizational and procedural work, not a software update.

Signal 02 — The .github/workflows/ Directory Is the Soft Spot

Every repository has a directory that is simultaneously the most powerful and the least reviewed: .github/workflows/. The files there define what runs in CI, with what permissions, and with access to which secrets — and yet in most organizations a change to a workflow file passes through the same casual review as a change to a README, or less. Megalodon is built precisely around that asymmetry; its entire method is to put a base64 payload into a workflow file and let normal, light-touch review wave it through. The takeaway for engineering leaders is narrow and concrete: the .github/ directory deserves stricter controls than application code, not looser ones — required reviews, CODEOWNERS, pinned actions, and a default assumption that an unexpected workflow change is hostile until proven otherwise.

Signal 03 — Automation Rewrote the Math

The reason Megalodon belongs in the same conversation as the GitHub/TeamPCP breach and the Shai-Hulud worm is not that they share an operator — there is no evidence they do — but that they share a conclusion. In a single fortnight, several independent operators each industrialized an attack on the developer-trust surface, and Megalodon is the clearest demonstration of what that industrialization means: 5,561 repositories touched in six hours by tooling that needs no human in the loop. Manual review — a maintainer carefully reading each commit — is the defense this campaign is designed to outrun, and at automation's scale it cannot keep pace. The defensive response has to be automated too: workflow-integrity scanning, secret-exposure detection, and machine-speed alerting on the developer pipeline. The era in which supply-chain security could rely on a careful human at the merge button is the era Megalodon just closed.

Sources