Megalodon Ate 5,561 GitHub Repos in Six Hours. We Had the C2 in the Feed Before It Had a Name.

Between 11:36 and 17:48 UTC on May 18, 2026, a single automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours. The campaign was named Megalodon four days later by SafeDep, StepSecurity, OX Security, and a half-dozen other researchers who independently dissected the attack pattern. The malicious payload injected into each repository's .github/workflows/ directory is a base64-encoded bash loader that exfiltrates CI secrets, AWS and GCP and Azure cloud credentials, SSH keys, OIDC tokens, HashiCorp Vault tokens, Terraform credentials, and the output of more than thirty additional credential-format regexes to a hard-coded command and control endpoint at 216.126.225.129 on port 8443. As of the public disclosure on May 21, the attacker's ingest server had received 575,352 stolen files totaling 449 gigabytes.

The receipt

A quick check of our IOC index, the same one that feeds the public STIX feed our customers consume, returns 216.126.225.129:8080 and 216.126.225.129:8443 both indexed on May 22, 2026 at 13:38 UTC, sourced from SSL Blacklist's automated certificate-fingerprint scan, classified as botnet_cc, malware_family marked "Unknown" because the campaign had not yet been publicly named. The corresponding autonomous decision record in our oz_decisions index scored the IP at BDE 88, tier "high," and batched it for publication to our outbound STIX feed at 02:38 UTC the same morning. Anyone consuming our feed had the block in their SIEM before the Hacker News, BleepingComputer, or The Register wrote a word about Megalodon.

This is not a victory lap. It is the structural argument we keep making. Reputational threat feeds with strong primitives, especially SSL Blacklist's per-port certificate fingerprinting, surface attacker infrastructure within hours of activation. The naming and the narrative arrive days later. If the consumer's defensive pipeline depends on the named campaign to act, the consumer has accepted a multi-day window of permitted exfiltration. If the consumer's pipeline acts on the raw infrastructure signal, the window is hours.

The actor was on our radar already

The Megalodon campaign is attributed by multiple independent researchers to TeamPCP. Our adversaries and iocs indexes show 43 prior records anchored to that name. The strongest are pulled from Elastic Security Labs' container-detection research — we follow vendor blogs as primary sources during active campaigns, because nation-state and high-tempo criminal actors drop their indicators on vendor blogs first, before the indicators reach centralized feed aggregators. Our standing TeamPCP infrastructure cluster includes scan.aquasecurtiy.org (a typosquat of aquasecurity.org used for reconnaissance scans), a Trycloudflare-tunneled Canisterworm payload delivery chain, and an Internet Computer Protocol C2 endpoint at tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io — that last one is genuinely novel, a command and control endpoint over a decentralized blockchain canister, which neutralizes traditional takedown vectors because there is no provider to call.

The actor cluster has been building tradecraft in public for months. Container compromise, cloud-metadata harvesting, Trycloudflare anonymity, ICP-based C2, typosquat reconnaissance, and now mass automated GitHub Actions workflow poisoning at industrial scale. Megalodon is the merger of two adjacent specialties — credential harvesting in cloud-native environments, and supply chain compromise at the developer-pipeline layer. The actor figured out that the same regex engine that pulls AWS keys out of a CI environment can pull them out of fifty-five hundred different CI environments if you have a botnet of throwaway GitHub accounts and a base64-encoded bash script.

The attack mechanic worth burning into memory

The injected workflow is not delivered as a pull request that a maintainer would review. It is committed directly to the default branch by a forged author identity. The forged identities used by Megalodon include build-bot, auto-ci, ci-bot, and pipeline-bot, with email addresses [email protected] and [email protected]. The commit messages are deliberately mundane — "ci: add build optimization step," "chore: optimize pipeline runtime" — designed to slide past a maintainer's eye during a routine git log review. The malicious workflow file lives at a path most maintainers do not audit between releases, which means the first time the payload runs is the next time CI runs, which on a healthy project is within hours. The window between commit and exfiltration is therefore measured in single-digit hours, and the exfiltrated material — cloud credentials, SSH keys, Vault tokens — produces persistent access to the downstream cloud environments that those credentials authorize, well past the lifetime of the GitHub repository compromise itself.

The defensive primitive that catches this is one CODEOWNERS rule per repository: any modification to .github/workflows/ requires explicit approval from a human reviewer, not the repository administrator's auto-merge. The defensive primitive that catches the post-compromise blast radius is short-lived OIDC tokens scoped to specific workflow runs rather than long-lived static credentials stored in repository secrets. Both are documented. Neither is widely adopted. Megalodon is the marketplace's correction.

The downstream that mattered

The single most consequential compromise in the campaign was Tiledesk, an open-source live chat platform. The Megalodon-poisoned Docker build workflow shipped backdoored builds as @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 on npm before the maintainer caught it. Anyone who pulled those npm versions during the window — and npm packages of that scale pull into thousands of downstream applications within days — is now downstream of TeamPCP's credential harvester. That is the supply chain shape that the Pattern 38 series on our tracker is built to catch: the compromise is at the developer's pipeline layer, the propagation is through the package registry, the impact is at the production application layer two or three hops downstream, and the time from initial compromise to last-mile exposure is single-digit days.

What customers and defenders should do tonight

Pull the IP block. 216.126.225.129 across all ports, with deny-list precedence over any allowlist exception. Then audit any GitHub Actions workflow committed by an author whose email ends in noreply.dev or automated.dev or whose username matches the throwaway-eight-character pattern. Then rotate every secret that lived in repository secrets during the May 18 to May 22 window, because the assumption that they were not exfiltrated requires evidence, and the evidence is in the attacker's logs, not yours. Then add a CODEOWNERS rule on .github/workflows/ for every repository that ships software to anyone who is not yourself.

The campaign ate 5,561 repositories in six hours. The C2 lived in our feed before it had a name. The receipts are the receipts.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com