ctipilot.ch

Megalodon mass-poisoned 5,561 GitHub repos in 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials, SSH keys, OIDC tokens

campaign · item:megalodon-mass-github-cicd-backdoor-5561-repos-sysdiag-optimize-build

Coverage timeline
1
first 2026-05-23 → last 2026-05-23
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
active_threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-23CTI Daily Brief — 2026-05-23
    active_threatsAutomated attacker pushed 5,718 commits to 5,561 GitHub repos between 11:36–17:48 UTC on 2026-05-18 using forged committers (build-bot/auto-ci/ci-bot/pipeline-bot) with hardcoded 2001-09-17 timestamp. SysDiag variant runs on push/pull_request; Optimize-Build creates dormant workflow_dispatch backdoors. 111-line base64 bash payload harvests AWS/GCP/Azure creds, SSH keys, GitHub OIDC tokens. npm @tiledesk/tiledesk-server 2.18.6–2.18.12 affected.

Where this entity is cited

  • active_threats1

Source distribution

  • ox.security1 (33%)
  • safedep.io1 (33%)
  • thehackernews.com1 (33%)

Related entities

All cited sources (3)

Items in briefs about Megalodon mass-poisoned 5,561 GitHub repos in 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials, SSH keys, OIDC tokens (1)

Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens

From CTI Daily Brief — 2026-05-23 · published 2026-05-23 · view item permalink →

SafeDep and OX Security disclosed an automated mass-backdooring campaign tracked as Megalodon that pushed thousands of malicious commits to 5,561 distinct GitHub repositories in a roughly six-hour window on 2026-05-18, using throwaway accounts with forged committer identities such as build-bot, auto-ci, ci-bot and pipeline-bot (SafeDep, 2026-05-21 · OX Security, 2026-05-21 · The Hacker News, 2026-05-22). Two GitHub Actions YAML variants were injected: SysDiag, triggered on every push and pull_request event (T1059.004 Unix Shell via CI Runner) to maximise execution frequency in active repos, and Optimize-Build, which replaces existing workflows with workflow_dispatch triggers — a dormant backdoor that the attacker can activate on demand via the GitHub REST API (T1546 Event Triggered Execution). Both variants carry a base64-encoded bash payload that the SafeDep and OX Security write-ups disassemble in detail.

On execution the payload harvests CI environment variables, /proc/*/environ entries, AWS credentials across configured profiles and IMDSv2 metadata, GCP access tokens via gcloud auth print-access-token, Azure IMDS tokens, SSH private keys from ~/.ssh/, Docker config files, .npmrc, .netrc, Kubernetes configs, Vault tokens, Terraform credentials and — critically for CI/CD trust chains — GitHub Actions OIDC tokens (T1552.004 Private Keys; T1078.004 Cloud Accounts). The npm package @tiledesk/tiledesk-server versions 2.18.6–2.18.12 carries the Optimize-Build variant after the maintainer's GitHub repo was compromised; SafeDep's Malysis engine flagged the package. Detection vantage: audit every .github/workflows/*.yml for the SafeDep-published payload markers and unfamiliar committer identities on recent commits; review CI runner process trees for aws configure list-profiles, gcloud auth print-access-token and curl http://169.254.169.254 calls outside expected infra tests. Hardening: require approval for workflow_dispatch on untrusted branches, gate .github/workflows/ changes behind CODEOWNERS review, adopt OIDC-based trusted publishing to eliminate long-lived cloud credentials, and pin third-party actions to commit SHAs not branch tags.

Why it matters to us: any EU/CH agency, university or contractor with CI/CD reaching cloud infrastructure is exposed if a maintainer they depend on was caught in the 6-hour sweep — re-audit GitHub Actions workflows on internal forks today, and rotate any cloud credentials previously surfaced via CI runners on the affected window.