A large-scale automated GitHub backdooring campaign was caught pushing thousands of malicious commits into public repositories while posing as routine CI/CD upkeep.

Researchers at SafeDep observed the campaign, Megalodon, touching more than five thousand repositories over a six-hour window on May 18. The attack was in the form of a malicious commit, “acac5a9,” targeting GitHub Actions workflows.

Unexpected workflow_dispatch runs in the Actions tab could be a warning sign, the researchers said in a blog post. “If you use OIDC federation for cloud deployments, review cloud audit logs for token requests from unknown workflow runs.”

The malicious commits were seen modifying Github Actions workflows to include base64-encoded bash payloads designed to steal secrets exposed during CI execution, including cloud credentials, SSH keys, OpenID Connect (OIDC) tokens, source code secrets, and other environment variables.

Among the hardest-hit projects were Wiznet’s ioLibrary_Driver repository, four Tiledesk repositories, and four persian-tools repositories, with well over 2,000 malicious commits between them.

A later blog post by OX Security flagged some similarities to the widespread TeamPCP compromises, particularly the use of hardcoded historical commit dates. This was a trick used in TeamPCP-linked operations to hide the true timing of malicious activity.

An automated attack with compromised keys

SafeDep’s researchers said the Megalodon campaign pushed 5,718 malicious commits across 5,561 public GitHub repositories within roughly six hours, primarily by abusing compromised credentials to directly modify GitHub Actions workflows.

It detected the campaign while investigating a Tiledesk GitHub Actions workflow file hiding the base64-encoded bash payload.

“Versions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor,” the researchers had concluded after preliminary investigation.

Further comparison of the culprit Tiledesk versions with their legitimate predecessors led the researchers to a malicious commit . “The malicious commit landed on May 18, 2026, authored by build-bot <build-system@noreply.dev> with the message ‘ci: add build optimization step’,” they said. “The author name and generic noreply email mimic automated CI commits.”

The commit was pushed without a pull request (PR) or a merge commit, which the researchers said was done using a compromised Personal Access Token (PAT) or deploy key. They warned the malicious commit remained active on the “master branch” at the time of publishing the disclosure.

Besides “build-bot”, the campaign also relied on other forged author identities such as “auto-ci” and “ci-bot.”

The campaign pushed out two payload variants. The first, “SysDiag,” embedded obfuscated bash payloads directly into workflows, triggering automatically on every push or PR, while the second, “Optimize-Build,” followed a staged approach using ‘workflow_dispatch” to execute the malicious workflow only when needed. The latter, used in the Tiledesk compromise, proved operationally noisy and left detectable traces.

Both variants targeted sensitive CI secrets including AWS and GCP credentials, SSH keys, Kubernetes configs, GitHub OIDC tokens, source code secrets, and shell history. They exfiltrated stolen secrets to attacker-controlled infrastructure at 216.126.225.129:8443.

SafeDep shared a list of indicators of compromise (IOCs) including the C2 domain, campaign signature, author names and emails, commit messages, and the names of the compromised GitHub repositories to aid in detection and clean-up.