5,718 malicious commits were pushed to 5,561 GitHub repositories in a six‑hour span on May 18, 2026, according to a report by SafeDep — an automated supply‑chain campaign researchers have dubbed "Megalodon."
Scale and timing: a six‑hour burst that swept thousands of repos
SafeDep reports the activity occurred between 11:36 a.m. and 5:48 p.m. UTC on May 18, 2026, when throwaway accounts pushed 5,718 commits against 5,561 distinct repositories. The attacker rotated through author names such as build‑bot, auto‑ci, ci‑bot, and pipeline‑bot and used seven commit messages that "mimick[ed] routine CI maintenance," SafeDep said. Example throwaway usernames include rkb8el9r, bhlru9nr, and lo6wt4t6.
How the malicious GitHub Actions workflows operate
Attackers injected GitHub Actions workflow files containing base64‑encoded bash payloads that phone home to a command‑and‑control server at 216.126.225[.]129:8443, SafeDep found. In at least one impacted package — @tiledesk/tiledesk-server — the workflow bundled a Base64‑encoded bash payload. SafeDep identified two operational variants:
- SysDiag: a mass variant that adds a workflow triggered on push and pull_request, ensuring broad automatic execution.
- Optimize‑Build: a targeted variant that uses workflow_dispatch, allowing the attacker to trigger workflows on demand; in Tiledesk's case this targeted approach aims CI/CD runners rather than npm installs.
SafeDep observed that the attack chains used forged git author identities, throwaway GitHub accounts, and pushes performed via compromised personal access tokens (PATs) or deploy keys.
What the malware steals: an extensive harvest of secrets
SafeDep published a detailed inventory of the data exfiltrated by the payloads. The list includes:
- CI environment variables, /proc/*/environ, and the PID 1 environment
- AWS credentials and instance role credentials via AWS IMDSv2 queries
- Google Cloud access tokens and metadata‑service credentials
- Microsoft Azure Instance Metadata Service (IMDS) credentials
- SSH private keys; Docker and Kubernetes configurations
- Vault tokens, Terraform credentials, shell history
- API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching 30+ secret regex patterns
- GitHub Actions OIDC token request URL and token, GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
- .env files, credentials.json, service‑account.json, and other configuration files
SafeDep concluded that merging a compromised commit causes the workflow to execute inside affected CI/CD pipelines and "spreads further, enabling the theft of credentials and secrets at scale."
TeamPCP, Mini Shai‑Hulud and the broader supply‑chain wave
SafeDep and other firms tie this activity to a wider surge of supply‑chain assaults linked to a group known as TeamPCP. The report states TeamPCP has previously corrupted numerous open‑source projects and that Microsoft‑owned GitHub became "the latest addition" to the group's list of victims, which also includes TanStack, Grafana Labs, OpenAI, and Mistral AI. Researchers say TeamPCP has both financial ties to extortion forums and geopolitical motives — the group reportedly deployed wiper malware when it detected machines in Iran and Israel.
OX Security's Moshe Siman Tov Bustan framed the development starkly: "We've entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What's coming next is an endless wave, a tsunami of cyber attacks on developers worldwide."
Polymarketdev packages and npm's response
SafeDep also described a parallel throwaway‑account campaign: an account named polymarketdev published nine malicious npm packages impersonating Polymarket trading CLI tools within a 30‑second window. The packages — including polymarket‑trading‑cli, polymarket‑terminal, polymarket‑trade, polymarket‑auto‑trade, polymarket‑copy‑trading, polymarket‑bot, polymarket‑claude‑code, polymarket‑ai‑agent, and polymarket‑trader — embed a postinstall hook that displays a fake wallet onboarding prompt and then exfiltrates the supplied private key to a Cloudflare Worker at hxxps://polymarketbot.polymarketdev.workers[.]dev/v1/wallets/keys.
NPM has invalidated granular access tokens with write access that bypass two‑factor authentication and is urging users to switch to Trusted Publishing. Socket summarized the immediate impact: "By burning every bypass‑2FA token on the platform, npm cuts off the credentials the worm has already collected... The reset buys breathing room. It does not close the underlying hole."
What this means for open‑source maintainers, enterprises, and end users
- Open‑source maintainers: the attack shows how forged CI commits and workflow files can weaponize legitimate repositories; maintainers will need to scrutinize unexpected CI file changes and the provenance of commits before merging.
- Enterprises and security teams: the breadth of harvested secrets — from cloud instance roles to OIDC tokens and GITHUB_TOKEN values — underlines the need to assume compromised CI credentials can yield lateral access across cloud environments.
- End users and developers: social engineering in supply‑chain packages remains effective; the polymarketdev postinstall example demonstrates how functional tooling can be used as cover to collect sensitive keys from trusting users.
For defenders, the Megalodon burst is both a technical and operational warning: attackers can rapidly weaponize thousands of repositories by adding workflows that execute in trusted CI contexts, and simple resets — like npm invalidating bypass‑2FA tokens — can buy time but not eliminate the underlying exposure. As SafeDep and other researchers catalogue the infected packages, the immediate priorities are discovery, token rotation, and careful review of any CI workflow changes that appear routine but arrive from unfamiliar accounts.




