Tiledesk — Megalodon CI/CD Backdoor

TiledeskMegalodon CI/CD BackdoorUpdated 2026-05-23 00:44 UTC

Attack path

The Megalodon automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories, including @tiledesk/tiledesk-server, injecting GitHub Actions workflows with base64-encoded bash payloads. These payloads exfiltrated CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server. The campaign is linked to broader supply chain attacks by TeamPCP.

Malicious Workflow Injection