https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/
Anyone searching GitHub yet for these commits? It would be nice to see a full list of impacted projects.
5,700+ commits in six hours, 5,561 repositories, one payload: replace a GitHub Actions workflow with a dormant secret exfiltration backdoor. The workflow_dispatch trigger design means these backdoors sit silent until activated, creating no visible CI runs.
Tiledesk shows how repository compromise cascades to package registries. Seven npm versions carried the backdoor because the maintainer published from a poisoned repo. Application code: untouched. Only the workflow file changed. Code review would catch this, but nobody reviews workflow files in npm packages.
If your repository received a commit from
build-system@noreply.devorci-bot@automated.devon May 18, 2026: revert it, audit your workflow files, and rotate any secrets available to GitHub Actions runners. Check your Actions tab for unexpected workflow_dispatch runs. If you use OIDC federation for cloud deployments, review cloud audit logs for token requests from unknown workflow runs.If you depend on
@tiledesk/tiledesk-server: pin to version 2.18.5 or earlier until the repository is remediated. The malicious commit remains on the master branch as of this writing.
