<![CDATA[https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/]]>
Link Preview Image
Megalodon: Mass GitHub Repo Backdooring via CI Workflows

Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted repos including Tiledesk (9 repos), Black-Iron-Project (8 repos), and hundreds of others. @tiledesk/tiledesk-server versions 2.18.6-2.18.12 on npm carry the backdoor. C2: 216.126.225.129:8443.

favicon

SafeDep - Real-time Open Source Software Supply Chain Security (safedep.io)

Anyone searching GitHub yet for these commits? It would be nice to see a full list of impacted projects.

5,700+ commits in six hours, 5,561 repositories, one payload: replace a GitHub Actions workflow with a dormant secret exfiltration backdoor. The workflow_dispatch trigger design means these backdoors sit silent until activated, creating no visible CI runs.

Tiledesk shows how repository compromise cascades to package registries. Seven npm versions carried the backdoor because the maintainer published from a poisoned repo. Application code: untouched. Only the workflow file changed. Code review would catch this, but nobody reviews workflow files in npm packages.

If your repository received a commit from build-system@noreply.dev or ci-bot@automated.dev on May 18, 2026: revert it, audit your workflow files, and rotate any secrets available to GitHub Actions runners. Check your Actions tab for unexpected workflow_dispatch runs. If you use OIDC federation for cloud deployments, review cloud audit logs for token requests from unknown workflow runs.

If you depend on @tiledesk/tiledesk-server: pin to version 2.18.5 or earlier until the repository is remediated. The malicious commit remains on the master branch as of this writing.

]]>https://board.circlewithadot.net/topic/bc8d6b95-503e-45c0-9829-21e1f863ed2a/https-safedep.io-megalodon-mass-github-repo-backdooring-ci-workflowsRSS for NodeSat, 30 May 2026 17:52:10 GMTThu, 21 May 2026 16:51:13 GMT60<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 19:26:25 GMT]]>@cR0w It’s old news and not going away. Nobody is treating npm as what it has always been: the biggest malware repo since GitHub.

https://go.halcyon.ai/rs/401-WCH-435/images/Halcyon%20Cloudzy%20C2P%20Report.pdf?version=0

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/j0hnnyxm4s/statuses/116614206918814914https://board.circlewithadot.net/post/https://infosec.exchange/users/j0hnnyxm4s/statuses/116614206918814914Thu, 21 May 2026 19:26:25 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 18:30:36 GMT]]>@huronbikes @Azuaron @cR0w That in itself seems insufficient. NPM takes dependencies in a way that makes it so a version update might not even be expected by the developer. (Yes, saving the package lock helps with this, but still.)

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/Epic_Null/statuses/116613987465216954https://board.circlewithadot.net/post/https://infosec.exchange/users/Epic_Null/statuses/116613987465216954Thu, 21 May 2026 18:30:36 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 18:10:13 GMT]]>@cR0w yeah man that supply chain is a bitch. Npm update stole a PAT and went to town. Luckily it only matters if you’re dumb enough to store keys in your repo. Tried to be as descriptive as possible.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/j0hnnyxm4s/statuses/116613907321011644https://board.circlewithadot.net/post/https://infosec.exchange/users/j0hnnyxm4s/statuses/116613907321011644Thu, 21 May 2026 18:10:13 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 18:05:54 GMT]]>@Azuaron @cR0w I believe that that has gotten cause and effect reversed.

It is "but nobody who makes npm packages reviews workflow files (or reviews anything else)".

Or reworded, "people who don't review workflow files become npm developers". (There are, naturally, always exceptional cases.)

πŸ™‚

]]>https://board.circlewithadot.net/post/https://fosstodon.org/users/eschwartz/statuses/116613890325983959https://board.circlewithadot.net/post/https://fosstodon.org/users/eschwartz/statuses/116613890325983959Thu, 21 May 2026 18:05:54 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 18:02:28 GMT]]>@nyanbinary https://discourse.ifin.network/t/megalodon-more-malicious-commits-on-github/487

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613876828373781https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613876828373781Thu, 21 May 2026 18:02:28 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:56:58 GMT]]>@nyanbinary I can start an IFIN thread if you haven't already.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613855246648034https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613855246648034Thu, 21 May 2026 17:56:58 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:55:23 GMT]]>@nyanbinary With less than 85% uptime, you're bound to hit some errors. πŸ˜†

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613849003431976https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613849003431976Thu, 21 May 2026 17:55:23 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:54:42 GMT]]>@cR0w lmao, just hit a 502 πŸ™ƒ

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613846305847367https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613846305847367Thu, 21 May 2026 17:54:42 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:53:14 GMT]]>@nyanbinary Not sure. I'm still dicking around with the search.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613840556806467https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613840556806467Thu, 21 May 2026 17:53:14 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:52:45 GMT]]>@cR0w do we have an IFIN thread for this? Just to know where I'll dump the results & code

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613838603769966https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613838603769966Thu, 21 May 2026 17:52:45 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:50:46 GMT]]>@nyanbinary The API is giving me weird shit too. Shit that doesn't match my search query.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613830867134936https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613830867134936Thu, 21 May 2026 17:50:46 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:35:07 GMT]]>@cR0w the fact that you can't get more than 1k paginated results is so fucking stupid, istg

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613769289313469https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613769289313469Thu, 21 May 2026 17:35:07 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:13:52 GMT]]>@Viss @nyanbinary @cR0w a low bar and yet someone will still fail to clear it.

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/huronbikes/statuses/116613685765216334https://board.circlewithadot.net/post/https://cyberplace.social/users/huronbikes/statuses/116613685765216334Thu, 21 May 2026 17:13:52 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:11:45 GMT]]>@Azuaron @cR0w I get what you are saying. There's a systemic issue with NPM and a normal-seeming project will have hundreds or thousands of transitive dependencies, and the system does little to provide any automated means of verification.

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/huronbikes/statuses/116613677393081120https://board.circlewithadot.net/post/https://cyberplace.social/users/huronbikes/statuses/116613677393081120Thu, 21 May 2026 17:11:45 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:08:53 GMT]]>@nyanbinary @cR0w they may as well have put on an actual firework show

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/Viss/statuses/116613666150123711https://board.circlewithadot.net/post/https://mastodon.social/users/Viss/statuses/116613666150123711Thu, 21 May 2026 17:08:53 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:07:46 GMT]]>Some interesting info in a couple repos by @j0hnnyxm4s

Link Preview Image
Security: Repository tampered via my compromised credential β€” cleanup required (megalodon campaign) Β· Issue #44 Β· chicagolandmesh/chicagolandmesh.org

TL;DR: My account johnnyxmas was the target of a supply-chain credential-theft campaign. On 2026-05-18, the attacker used my compromised credential β€” which had push access to this repo as a collaborator β€” to push a malicious commit and r...

favicon

GitHub (github.com)

Link Preview Image
Security: Repository tampered via my compromised credential β€” cleanup required (megalodon campaign) Β· Issue #36 Β· Xyl2k/TSA-Travel-Sentry-master-keys

TL;DR: My account johnnyxmas was the target of a supply-chain credential-theft campaign. On 2026-05-18, the attacker used my compromised credential β€” which had push access to this repo as a collaborator β€” to push a malicious commit and r...

favicon

GitHub (github.com)

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613661750368473https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116613661750368473Thu, 21 May 2026 17:07:46 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:07:36 GMT]]>@cR0w lemme see if I can just pull the projects, actually. unfortunately github api is meh

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613661127081265https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613661127081265Thu, 21 May 2026 17:07:36 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 17:07:06 GMT]]>@cR0w enjoy πŸ™‚

https://github.com/search?q=author-email%3Abuild-system%40noreply.dev&type=commits
https://github.com/search?q=author-email%3Aci-bot%40automated.dev&type=commits

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613659155980315https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116613659155980315Thu, 21 May 2026 17:07:06 GMT<![CDATA[Reply to https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/ on Thu, 21 May 2026 16:59:20 GMT]]>@cR0w "...but nobody reviews workflow files in npm packages."

Ex-fucking-scuse me? That's an insane thing to not review.

]]>https://board.circlewithadot.net/post/https://cyberpunk.lol/users/Azuaron/statuses/116613628600026624https://board.circlewithadot.net/post/https://cyberpunk.lol/users/Azuaron/statuses/116613628600026624Thu, 21 May 2026 16:59:20 GMT