Six Hours, 5,561 Repos: Megalodon Backdoored GitHub Actions to Harvest CI/CD Secrets

On May 18, 2026, a threat actor tracked as TeamPCP spent roughly six hours quietly rewriting the build pipelines of thousands of open source projects. Between about 11:36 and 17:48 UTC the campaign, which researchers named Megalodon, pushed 5,718 malicious commits into 5,561 public GitHub repositories, injecting backdoored GitHub Actions workflow files that were built to siphon secrets out of every pipeline run that followed (StepSecurity, The Hacker News).

The mechanics were deliberately boring. The attacker rotated through four forged committer identities, build-bot, auto-ci, ci-bot, and pipeline-bot, paired with a small set of commit messages that read like routine CI maintenance, so the changes blended into the normal churn of automated tooling that nobody reads closely. Each injected workflow carried a base64 encoded bash payload that ran inside the repository Actions runner and harvested whatever the pipeline could reach, which on a typical project means cloud credentials, registry and API tokens, SSH keys, and the short lived OIDC tokens that GitHub Actions mints for deployments (SecurityWeek).

What makes Megalodon worth your attention is where the access came from, because the attacker never breached GitHub itself. Instead, more than a third of the affected repository usernames were direct matches to machines already infected by credential stealing malware, which strongly suggests the operator pulled valid GitHub tokens straight out of infostealer logs and weaponized them within hours of harvesting them (StepSecurity). On May 28, 2026 CISA folded the campaign into a formal advisory alongside the related Nx Console extension compromise, the incident that carries CVE-2026-48027, and told teams to audit CI/CD logs, rotate pipeline secrets, and revert any workflow changes pushed by automated accounts after May 18 (CISA).

Why this class of risk slips past your program

Most vulnerability programs are built around named products and version numbers, so a campaign that ships no vulnerable package and no CVE of its own tends to fall through the cracks entirely. There is nothing here for a scanner to fingerprint, because the malicious code lives in a YAML workflow file inside a repository rather than in a library you can match against a vulnerability database. The exposure is a configuration change in your own source control, and that is a place very few teams continuously watch with the same rigor they apply to host patching and dependency scanning.

The pipeline is also a uniquely valuable place to land. CI/CD runners are where the most powerful credentials in an organization tend to collect, since deployment jobs legitimately need cloud keys, registry tokens, and signing material to do their work. When an attacker controls the workflow file, every secret the pipeline touches becomes readable, and the theft happens during an ordinary green build that trips no alarm and looks identical to a thousand successful runs before it. Many of these poisoned projects also sit upstream of other people's software, so a single workflow change becomes a foothold that travels downstream into every team that consumes the affected dependency.

Three properties of this attack made it hard to catch while it was happening:

• No artifact to scan. The payload is a workflow file in your repository, not a vulnerable package, so software composition analysis and host scanners have nothing to flag.
• Trusted-looking authors. Commits arrived under names like build-bot and pipeline-bot with maintenance style messages, so they blended into the routine noise of CI automation that reviewers tend to skim past.
• Borrowed credentials. The tokens were already valid because they came from infostealer infections, so there was no failed login or brute force pattern for anomaly detection to notice.

Prioritizing with TRIS

Raw CVSS has nothing useful to say about Megalodon, because there is no single product version to score and the headline incident carries no CVE at all. That gap is exactly the problem TRIS, the multi-layer Threat and Risk Intelligence Scoring that CVEasy AI runs, was built to close. Rather than waiting for a base score that will never arrive, TRIS weighs the three signals that actually decide how urgent an exposure is for your specific environment:

• Active exploitation. This campaign ran in the wild, was confirmed end to end by multiple research teams, and was named in a CISA advisory, so TRIS ranks it at the top regardless of any missing CVSS value.
• Blast radius. Stolen CI/CD secrets reach cloud accounts, package registries, and deployment targets, so TRIS treats a poisoned pipeline as an organization wide credential problem rather than a single repository issue.
• Real exposure. TRIS narrows the alert to the repositories you actually own or depend on that executed Actions workflows after May 18, instead of burying every team under a generic advisory that maps to no specific asset.

The output is a ranked and defensible answer to the question that matters in the first hour of an event like this, which is simply who in my environment is genuinely exposed and which secret do they rotate first.

Remediation steps

1. Audit the .github/workflows/ directory in every repository you maintain for files added or modified after May 18, 2026, paying close attention to commits from unfamiliar or automated committers.
2. Revert any unauthorized workflow changes, and treat the base64 encoded bash payloads described by researchers as the signature to hunt for across your history.
3. Rotate all CI/CD secrets for any repository that ran a workflow after May 18, including cloud credentials, registry and API tokens, SSH keys, and database connection strings.
4. Review your GitHub organization audit logs for unexpected commits, OAuth app authorizations, and repository permission changes around the May 18 window.
5. Enable branch protection and require signed commits on default branches, so that a stolen token cannot push a workflow change unchallenged.
6. Pin third-party GitHub Actions to specific commit SHAs rather than mutable tags, which removes one of the easiest ways to hijack a trusted workflow.

How CVEasy AI surfaces this

When a supply chain event like Megalodon breaks, CVEasy AI ingests the indicators and the related advisory the moment they land, then ranks the real exposure with TRIS against your actual inventory, entirely on your own hardware. As the number one local-first CTEM platform, CVEasy AI never ships your repository list, your secret inventory, or your incident detail to a third party, which carries extra weight when the incident itself is the theft of credentials out of your build systems. The platform answers the practitioner question before anything else, which is that out of everything disclosed this week these specific pipelines of yours are exposed and here is the order in which to rotate their secrets. For a confirmed, in the wild secret harvesting campaign with this kind of blast radius, that ordering is not subtle, and CVEasy AI puts it at the top of the queue with the rotation checklist already attached.

References

• CISA: Supply Chain Compromises Impact Nx Console and GitHub Repositories
• StepSecurity: Megalodon mass GitHub Actions secret exfiltration across 5,500+ public repositories
• SecurityWeek: Over 5,500 GitHub repositories infected in Megalodon supply chain attack
• The Hacker News: Megalodon GitHub attack targets 5,561 repos with malicious CI/CD workflows