### Mass GitHub Repository Backdooring **Megalodon** pushed 5,718 malicious commits to 5,561 **GitHub** repositories within a six-hour window. According to a report by **SafeDep**, the attacker used throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot) to inject **GitHub Actions** workflows containing base64-encoded bash payloads. These payloads exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443. ### Data Exfiltration Targets The malware harvests a wide range of sensitive data, including: * CI environment variables, /proc/*/environ, and PID 1 environment * **Amazon Web Services (AWS)** credentials * **Google Cloud** access tokens * Instance role credentials obtained by querying **AWS IMDSv2**, **Google Cloud** metadata, and **Microsoft Azure Instance Metadata Service (IMDS)** endpoints * SSH private keys * Docker and Kubernetes configurations * Vault tokens * Terraform credentials * Shell history * API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns * **GitHub Actions** OIDC token request URL and token * GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens * .env files, credentials.json, service-account.json, and other configuration files ### Impacted Packages and Attack Timeline One of the impacted packages is `@tiledesk/tiledesk-server`, which bundles a Base64-encoded bash payload within a **GitHub Actions** workflow file. The attack occurred on May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC. The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance. Compromised PATs or deploy keys were used to push the malicious commits. ### Payload Variants: SysDiag and Optimize-Build Two payload variants were observed: * **SysDiag**: A mass variant that adds a new workflow triggered on every push and pull request. * **Optimize-Build**: A targeted variant that activates only on `workflow_dispatch`, a **GitHub Actions** trigger that allows users to manually run a workflow on-demand. The targeted approach, as seen in the **Tiledesk** compromise, focuses on CI/CD runners rather than npm package installations.  ### Supply Chain Attack Era Once a repository owner merges the malicious commit, the malware executes inside their CI/CD pipelines, spreading further and enabling the theft of credentials and secrets at scale. According to **OX Security**'s Moshe Siman Tov Bustan, this attack marks the beginning of a new supply chain attack era, following previous incidents like **TeamPCP** compromising **GitHub**. ### TeamPCP's Expanding Attack Surface The development comes as **TeamPCP** has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools, worming their way through several ecosystems and extorting victims for profit. **Microsoft**-owned **GitHub** has become the latest addition to the group's long list of victims, which also includes **TanStack**, **Grafana Labs**, **OpenAI**, and **Mistral AI**. **TeamPCP** attacks have fueled a cyclical exploitation of popular open-source projects, where one compromise feeds the next, allowing the malware to spread like wildfire in a worm-like fashion. The group also appears to be financially and geopolitically motivated, with connections to **BreachForums** and other extortion crews like **LAPSUS$** and **VECT**, and the deployment of wiper malware upon detecting machines located in Iran and Israel. ### NPM's Response and Mitigation Efforts The fallout from **TeamPCP**'s attack spree and the **Mini Shai-Hulud worm** has led **npm** to invalidate granular access tokens with write access that bypasses two-factor authentication (2FA). **NPM** is also urging users to switch to Trusted Publishing to reduce reliance on such tokens. ### Malicious NPM Packages Impersonating Polymarket In a separate incident, a throwaway account named "polymarketdev" published nine malicious **npm** packages impersonating **Polymarket** trading CLI tools within a 30-second window to steal victims' Ethereum/Polygon private keys via a postinstall hook. The packages include: * polymarket-trading-cli * polymarket-terminal * polymarket-trade * polymarket-auto-trade * polymarket-copy-trading * polymarket-bot * polymarket-claude-code * polymarket-ai-agent * polymarket-trader Upon installation, a postinstall script displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming it stays encrypted. The script then sends the raw key in plaintext to a **Cloudflare** Worker. This highlights the increasing sophistication of attackers in leveraging social engineering to compromise user credentials.