Skip to main content
Emerging ThreatsSupply Chain Attacks

GitHub Repos Targeted in 5,500+ Malicious Commits

Laptop screen showing GitHub repository page with cityscape background and subtle CI/CD hints.

"We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning," Ox Security lead researcher Moshe Siman Tov Bustan told The Register. The warning is grounded in a fresh, automated campaign that injected malicious commits into 5,561 GitHub repositories in a single operation and planted credential-stealing malware that can run inside CI/CD pipelines if repository owners merge the changes.

How Megalodon operates

Researchers at SafeDep uncovered the campaign, which they call Megalodon. The malicious commits contain CI/CD credential-stealing malware that, when executed inside a pipeline, systematically harvests credentials and tokens. According to SafeDep and Ox Security reporting, the malware steals AWS secret keys and Google Cloud access tokens; queries AWS, Google Cloud Platform, and Azure metadata for instance role credentials; reads SSH private keys, Docker and Kubernetes configurations, Vault tokens, and Terraform credentials; and scans source code for more than 30 secret regex patterns. It also exfiltrates GitHub tokens and Bitbucket tokens, including secrets used to authenticate with cloud providers — in the researchers’ words, “consider ALL of your CI/CD variables pwned.”

Scale, timeline, and the poisoned Tiledesk packages

SafeDep traced the initial malicious commit (acac5a9), authored as “build-bot” from the email build-system[@]noreply.dev with the message “ci: add build optimization step.” The researchers found an additional email, ci-bot@automated.dev, used by the actor. Across a six-hour window on May 18 (11:36 to 17:48 UTC), the two emails account for thousands of commits — 2,878 and 2,841 results respectively — that landed in 5,561 repositories.

Among the infected projects were nine Tiledesk repositories. SafeDep says the attacker backdoored published npm package versions 2.18.6 (May 19) through 2.18.12 (May 21) of the open source live chat and chatbot platform; version 2.18.5 was the last known clean release. SafeDep noted that “the attacker never touched the npm account” — instead, the GitHub repositories were compromised and the maintainer published the poisoned source without realizing it.

Other victims include Black-Iron-Project (eight compromised repositories), WISE-Community, and hundreds of smaller repositories. SafeDep published a full list of the compromised repositories.

Attack mechanics: push without PR, compromise of PATs or deploy keys

SafeDep found that the malicious commits were pushed directly to master with no pull request and no merge commit. The researchers say that “someone pushed the commit to master with no PR and no merge commit, using a compromised PAT or deploy key.” That delivery method enables the malware to run in downstream CI/CD environments as soon as a maintainer merges the commit, allowing the campaign to propagate further via the pipelines themselves.

Relation to TeamPCP and vendor responses

Megalodon echoes earlier supply-chain activity by TeamPCP, which previously poisoned about 3,800 GitHub repositories, but Ox Security does not currently believe the two are the same actor. Bustan told The Register that while the new campaign copies TeamPCP’s behavior and style, “there’s no threat-intel or code-analysis evidence that connects Megalodon to the crew behind the Trivy, Checkmarx, and other recent supply-chain attacks.” He also said Ox has indications the actor is not participating in the TeamPCP contest on BreachForums, which required adding a public encryption key as proof of involvement.

Platform responses have been limited but concrete. npm posted on X that it “invalidated npm granular access tokens with write access that bypass 2FA” to prevent additional supply-chain attacks like Mini Shai Hulud. Bustan noted, however, that token invalidation “could help a little with account hijacking, but it doesn’t solve the actual problem. Malicious code is still reaching their servers, and nothing is stopping it before it does.”

What this means for maintainers, cloud teams, and platform operators

  • Maintainers: SafeDep’s account of Tiledesk shows how a maintainer can unknowingly publish poisoned packages if the upstream source repository is compromised. Maintainers will need to assume their publish source can be tampered with and review CI/CD integration points for unauthorized credentials.
  • Cloud teams and enterprises with private repositories: Ox Security warned that compromising GitHub “compromises the security of every company with a private repository hosted on the platform.” Organizations that rely on CI/CD tokens embedded in pipelines must treat those variables as exposed until verified otherwise.
  • Platform operators (GitHub, npm): SafeDep’s findings and npm’s token invalidation illustrate two levers — repository integrity controls and token hygiene — but Bustan’s comment underscores that token revocation alone does not stop malicious code from reaching package servers or CI systems.

The Megalodon operation is both a technical escalation and a blunt reminder: when compromised commits land on master and pipeline credentials are available, attackers gain direct access to the keys and tokens that run modern cloud environments. SafeDep’s published list of 5,561 compromised repositories and the detailed traces — commit acac5a9, the build-bot emails, the Tiledesk package versions — make the incident tangible and actionable for maintainers, cloud defenders, and platform operators alike. How quickly those groups coordinate remediation and harden pipeline trust will determine whether Megalodon is an isolated wave or the start of the “endless” supply-chain tide Bustan warned about.

Source: The Register — Megalodon chums the waters in 5.5K+ GitHub repo poisonings