GitHub Attacked By Megalodon: Malicious Code That Infected More Than 5,500 Repositories

Credit: Pixabay

On May 18, 2026, a large-scale automated cyber campaign dubbed Megalodon was detected, during which attackers injected 5,718 malicious commits into 5,561 GitHub repositories over the course of six hours. The attack was designed to look like legitimate CI/CD activity, with the primary goal being the exfiltration of sensitive data from development and build processes.

Megalodon was discovered inside Tiledesk, an open-source platform for online chats and chatbots. The malware didn’t need to hack the project’s NPM account—it simply infected the project on GitHub. The project administrator last published the “clean” version 2.18.5, and then, without realizing it, approved backdoored versions 2.18.6 (May 19) through 2.18.12 (May 21). The hacker group TeamPCP uses similar attack methods, but its involvement in the Megalodon campaign has not been confirmed. TeamPCP is known to have announced a supply chain attack competition, but the creator of Megalodon is also likely not one of the contestants—according to the rules, participants must include a public encryption key in their malicious code to confirm their authorship.

Megalodon can be seen as one of the most illustrative examples of CI/CD infrastructure abuse: the attack combines scale, automation, disguise as legitimate processes, and targeting cloud secrets that can open access to an organization’s entire ecosystem.