June 6, 2026

TeamPCP's Shai-Hulud Campaign & the Copycat Wave — incl. Megalodon Deep-Dive (Jun 2026)

Protos Labs Threat Intelligence

#TeamPCP #ShaiHulud #Megalodon #SupplyChain #GitHubActions #ThreatIntelligence #CICD #CyberSecurity #npm #OpenSource
TLP:CLEAR Threat intelligence Software supply chain v2 · 6 June 2026
ClassificationTLP:CLEAR
Prepared byProtos AI Threat Intelligence Agent
Versionv2 — 6 June 2026
AudienceCISOs & security leaders; software-producing organisations
Reporting windowIncident on 18 May 2026; core assessment closed 29 May, with post-incident developments tracked through 6 June 2026; broader actor profile draws on late-2025–2026 reporting
DistributionShare freely within and between organisations
§ 00 · Orientation

The bigger picture.

We all heard about Megalodon chomping down on GitHub, leaving big teeth marks on supply chains. But what continues to lurk beneath the surface might be even more dangerous. What’s the bigger picture here?

TLDR

Megalodon was painful but what’s to come might be even more so.

If you’ve been paying attention to Megalodon, you would have heard that the campaign has traces of TeamPCP TTPs. Yet the firm that analysed Megalodon’s code (OX Security) assessed the incident is most likely by a copycat, not TeamPCP operating directly. According to OX Security lead researcher Moshe Siman Tov Bustan, Megalodon is most likely “a different threat actor copying their behavior and style, but not much of the code itself,” noting no direct links, no shared identifying IOCs, no claim of responsibility, meaning “for now, the connection remains unconfirmed.”

Similar TTPs but no direct attribution to the well-known threat actor that’s known for such methodology. So what? The bigger picture here is all the more important and could be cause for urgency for many more organisations and teams.

The key context here is that Megalodon rides off of TeamPCP’s public release of its tooling. On 12 May 2026 the group open-sourced the complete “Shai-Hulud” framework (the Shai-Hulud 3.0 worm) via two GitHub repositories under an MIT licence, and a competition was announced offering $1,000 in Monero for the biggest supply-chain attack conducted with it. VX Underground publicised the release and indicated it retained a copy after GitHub removed the repos; no live VX Underground-hosted mirror was independently confirmed [Low/Unverified — DarkOwl Vision, 6 Jun 2026]. This enables industrial-scale pipeline poisoning to any actor who wanted it, incentivising it even. While Megalodon is not firmly attributed to TeamPCP’s, it is the first major copycat campaign that occurred since the release of its open-sourced Shai-Hulud variant. With other attacks with TTP overlaps happening since 12 May, we have reason to believe that we’ll continue to see more TeamPCP enabled or copycat campaigns in the near future.

To visually illustrate the pattern, here’s a timeline of what’s been happening since TeamPCP’s public release on 12 May. Read on for the detailed threat intelligence brief on Megalodon and the Shai-Hulud implications, generated by Protos AI with the supervision of our human team.

§ 01 · Mini Shai-Hulud campaign timeline

Apr 22 – Jun 5, 2026.

Tracks the Mini Shai-Hulud campaign plus copycat campaigns spawned after the worm was open-sourced on 12 May. Each row ends with an attribution label. Counts are tracker-dependent and noted where sources diverge.

TeamPCP / Mini Shai-Hulud The enabler Copycat Enterprise impact Platform / status
Hover or tap any event for detail
22 Apr 2026

Bitwarden CLI precursor

@bitwarden/cli compromised via a poisoned GitHub Actions workflow.

DetailEarly TeamPCP supply-chain op in the same tooling lineage as Shai-Hulud. Reported · High.
TeamPCP
29 Apr 2026

Origin wave — SAP CAP

Four SAP CAP npm packages trojanised; exfil repos self-ID as “The Third Coming.”

Detail@cap-js/sqlite, postgres, db-service, mbt via npm token leaked through a malicious CircleCI PR build. Bun-runtime stealer; AI-agent persistence + Russian-locale guard.
Mini Shai-Hulud
30 Apr 2026

Cross-ecosystem jump

PyPI lightning + npm intercom-client; Rubygems/PHP touched. ~8–10M dl.

Detaillightning 2.6.2/2.6.3 and intercom-client 7.0.4/7.0.5. Lightning community fixed in ~42 minutes.
Mini Shai-Hulud
11 May 2026

Peak wave — TanStack

84 versions / 42 packages in ~6 min. First npm worm with valid SLSA L3 provenance. CVE-2026-45321 (CVSS 9.6).

Detailpull_request_target “Pwn Request” + Actions cache poisoning + OIDC extraction from runner memory. @tanstack/react-router ~12.7M weekly downloads. TeamPCP publicly claimed it.
TeamPCP
11–12 May 2026

Propagation + victims

172 packages / ~518M weekly downloads. Mistral AI, UiPath, OpenSearch, Guardrails AI.

Detail~403–404 versions across npm + PyPI; 400+ exfil repos created. Mistral AI hit via @mistralai/* and PyPI mistralai 2.4.6.
Mini Shai-Hulud
12 May 2026

Worm open-sourced — the enabler

TeamPCP open-sources full worm MIT; BreachForums announces $1,000 XMR contest. The pivot.

The pivotPublished via compromised accounts PedroTortoriello + g00dfe11ow. GitHub removed repos but forks already existed. Every copycat below descends from this event.
Enabler
15 May 2026

OpenAI disclosure

Two dev devices compromised; macOS/Windows/iOS/Android code-signing certs exfiltrated.

DetailCompromised via a malicious TanStack package. No customer data or production impact confirmed.
Enterprise impact
~15–17 May 2026

Mistral AI extortion

Dev device + trojanised SDKs confirmed. TeamPCP demands $25,000 for alleged 5 GB leak.

DetailNon-core repos accessed. TeamPCP-linked forum account claims to sell Mistral repositories.
Extortion
17 May 2026

Copycat #1 — “deadcode”

Four malicious npm clones; one ships a Go DDoS botnet (“Phantom Bot”). First effect of the contest.

DetailClones incl. chalk-tempalte and axois-utils; ~2,678 combined weekly downloads. OX Security detection.
Copycat
18 May 2026

Copycat #2 — Megalodon

GitHub Actions workflow injection: ~5,561 repos / 5,718 commits in ~6h. Likely copycat, not TeamPCP.

DetailInjects SysDiag (mass) and Optimize-Build (dormant) workflows. C2 216[.]126[.]225[.]129:8443. OX: “different actor copying their behavior and style, but not much of the code itself.”
Copycat
19 May 2026

Largest hour — @antv

Maintainer takeover; 639 versions / 323 packages in ~25 min. Exfil to t.m-kosche[.]com.

DetailTakeover of atool (547 pkgs) + prop; 558/279 @antv/*. Hits echarts-for-react, size-sensor (~4.2M/wk), timeago.js (~1.5M/wk).
Mini Shai-Hulud
19 May 2026

Microsoft durabletask

PyPI SDK compromised; 28KB stealer + locale-gated rm -rf /* wiper (~1-in-6).

DetailVersions 1.4.1–1.4.3 via stolen PyPI token. Hits AWS/Azure/GCP/K8s/Vault + 90+ dev-tool configs in <4s. Same t.m-kosche[.]com C2 as @antv. Confirmed StepSecurity, Wiz, SafeDep.
Mini Shai-Hulud
19 May 2026

issues-helper Action

actions-cool/issues-helper compromised — every tag redirected to an imposter commit.

DetailExfiltrates CI/CD credentials; same t.m-kosche[.]com C2 ties it to the @antv wave.
Mini Shai-Hulud
19 May 2026

Platform response

npm purges 2FA-bypass write tokens; GitHub removes 640 packages, invalidates 61,274 tokens.

Detailnpm pushes OIDC Trusted Publishing. GitHub invalidates tokens and removes packages. Industry-wide response.
Platform
1 Jun 2026

Copycat #3 — Miasma

~32 @redhat-cloud-services npm packages via GitHub Actions OIDC; valid provenance on each.

Detail~95–96 versions, 3 same-day waves; 116,991 weekly downloads. From a compromised Red Hat employee account. Payload derived from open-sourced Mini Shai-Hulud (Wiz: “modifications largely cosmetic”). Removed in ~2h.
Copycat
3–4 Jun 2026

Miasma — second wave (Phantom Gyp)

Same campaign returns: 57 packages via novel binding.gyp vector, bypassing pre/post-install monitors.

Detail · OX / Wiz / Snyk157-byte binding.gyp triggers node-gyp at install. New dead-drop firedalazer (replacing FIRESCALE) fetches follow-on index.js — self-repeating loop. Victims: @vapi-ai/server-sdk (~408K/mo), ai-sdk-ollama (~120K). Snyk “Node-gyp Supply Chain Compromise” (Critical). Attribution: TTP overlap, copycat use cannot be ruled out.
Copycat
As of 6 Jun 2026

Cumulative status

~1,055 versions / ~502 packages across npm, PyPI, Composer (Socket). Copycat activity ongoing.

DetailWorm tooling public since 12 May. No single CVE covers the worm. Copycat campaigns continuing.
Status
Protos Labs · Shai-Hulud & Megalodon TLP:CLEAR · v2 · 6 June 2026 · scroll horizontally →
What to prioritise now

See immediate actions and detection rules in Part 2 below. Focus on hunting repositories for injected workflow signatures, rotating exposed secrets, and blocking the reported C2.

Detailed Brief — Megalodon · Part 1 of 2 · For CISOs & Security Leaders
Megalodon: GitHub Actions Supply-Chain Campaign
TLP:CLEAR · Protos AI Threat Intelligence Agent (human-supervised) · v2 — 6 June 2026
§ 01 · Executive summary

Executive summary for non-technical stakeholders.

The headline. On 18 May 2026, an automated campaign codenamed Megalodon pushed roughly 5,718 malicious commits to ~5,561 public GitHub repositories in a single ~six-hour window, injecting malicious GitHub Actions workflows that harvest CI/CD secrets, cloud credentials, SSH keys, and identity tokens and ship them to attacker infrastructure. This is a software supply-chain attack at the build-pipeline layer — the attackers never touched application code, only the automated workflows that build and ship it. At least one downstream open-source package family, @tiledesk/tiledesk-server (versions 2.18.6–2.18.12), was published in compromised form, turning repository edits into distribution risk for everyone who installs it.

Why this matters even if you were not a directly compromised repository. The defining danger of this incident is cascade.

CI and cloud secrets harvested from a compromised build run can be reused to reach other repositories, cloud accounts, and deployment pipelines. Poisoned packages can be pulled by downstream consumers, inserting malicious code into production or build environments — even for organisations that never touched the originally compromised repositories. The most realistic near-term threat to your organisation is not encryption of your systems; it is secondary compromise from exposed build-pipeline secrets and trust in poisoned dependencies.

Why the attribution question does not change your defences

Megalodon closely imitates the tradecraft of a prolific supply-chain actor called TeamPCP (tracked by Google as UNC6780), who days earlier open-sourced its “Shai-Hulud” attack framework and helped launch a competition rewarding the biggest supply-chain attack. That open-sourcing is the only confirmed link between the two — it does not mean TeamPCP ran Megalodon. The firm that analysed the code (OX Security) assesses Megalodon is most likely a separate copycat actor, not TeamPCP operating directly, with no direct links or claims of responsibility connecting them; reporting is not unanimous, so attribution is rated Low confidence. Treat the technique — not the actor’s name — as the actionable threat, and prioritise containment over attribution.

Why it matters even if you are not a GitHub-heavy shop

Almost every modern organisation consumes open-source packages built in pipelines like these. The root cause of the initial access was not a GitHub product vulnerability — it was compromised developer credentials harvested from infostealer-infected machines. Hudson Rock cross-referenced the accounts behind the malicious commits and found over a third (331 of 978 unique usernames) matched computers already infected by infostealers, concluding the affected accounts were “exclusively sourced from infostealer data.” Against a cybercrime-intelligence database tracking 20M-plus infostealer-infected machines, that makes the precondition for an attack like this already present across the sector.

What to do now

Hunt your repositories for the injected workflow signature and block the reported C2. Rotate GitHub tokens, OAuth grants, deploy keys, and any cloud / registry secrets reachable from your build pipelines. Audit recent workflow-file changes for base64 -d | bash patterns and unexpected workflow_dispatch logic. If you consume @tiledesk/tiledesk-server, pin away from 2.18.6–2.18.12. Preserve CI runner logs before cleanup. See Part 2 for sequenced actions.

Risk level — High

This is driven by the combination of large-scale repository compromise, theft of CI/cloud/identity secrets, and confirmed downstream package poisoning — not by ransomware, and not negated by the unconfirmed attribution. The follow-on secondary-compromise risk is the live threat.

Confidence — High (incident) / Low (attribution). Most core technical claims — scale, timing, workflow-injection mechanism, secret-harvesting behaviour, C2 endpoint, and downstream package compromise — are supported by independent reporting. Direct attribution to TeamPCP is an unconfirmed hypothesis which is not corroborated by two independent technical sources.

Update — early June 2026

Two developments since the initial 29 May assessment, both reinforcing this report’s conclusions:

Platform response — npm burned the bypass-2FA tokens. On 19 May 2026, in response to the TeamPCP spree and the Mini Shai-Hulud worm, npm invalidated all granular access tokens with write access that bypass two-factor authentication and urged maintainers to move to OIDC Trusted Publishing. Per Microsoft’s security blog, GitHub removed 640 malicious packages and invalidated 61,274 such tokens. This is a material defensive change — but as Socket noted, it “buys breathing room” rather than closing the underlying hole: the worm remains active and simply resumes harvesting the new tokens maintainers issue.

The copycat prediction has already played out — the “Miasma” wave. On 1 June 2026, ~32 packages (≈95–96 versions, pushed in three same-day waves as takedowns lagged; ~80,000–117,000 weekly downloads) under the trusted @redhat-cloud-services npm namespace were published in compromised form carrying a new Mini Shai-Hulud variant self-identifying as “Miasma: The Spreading Blight.” Critically, the packages were published via GitHub Actions OIDC from a compromised Red Hat employee account — bypassing npm token security entirely, which is exactly the OIDC-abuse vector this report flagged as the central risk (§ 01, Part 2) and which routes around the token invalidation above. Notably, every malicious version carried a valid npm provenance attestation — a real-world confirmation of this report’s point that provenance proves origin, not benignity. Red Hat removed the packages within ~2 hours and stated the compromise was limited to internal development tooling with no evidence of customer impact. Every major analysis (Wiz, Orca, Aikido, OX Security, Socket, SafeDep) frames attribution the same way this report frames Megalodon’s: strong TTP overlap with TeamPCP, but a copycat using the open-sourced tooling cannot be ruled out. Miasma is direct, independent confirmation of this report’s forward-looking judgement that the Shai-Hulud leak would spawn recurring copycat campaigns. (A dedicated Protos Labs report on Miasma is in preparation; this note is context only.)

Update (6 June) — the worm has accelerated, not slowed. On 3 June 2026 a follow-on Miasma variant dubbed “Phantom Gyp” (StepSecurity) compromised 57 more packages across 286+ versions in under two hours, weaponising binding.gyp / node-gyp to execute at install while evading the preinstall/postinstall monitors many teams added after earlier waves; the largest victim, @vapi-ai/server-sdk, sees ~408K monthly downloads. Separately, Whiteintel reported the compromised Red Hat developer’s GitHub credentials and a live MFA-bypassing session cookie sat in infostealer logs for ~49 days before the 1 June attack — reinforcing that infostealer-sourced access remains the root cause.

§ 02 · Incident overview

Latest position.

Where the timeline lives

The campaign chronology — including the TeamPCP context waves, the 12 May open-sourcing, Megalodon, and the copycats — is in the Mini Shai-Hulud campaign timeline at the top of this page. This section covers the confirmed technical detail specific to the Megalodon incident.

Confirmed technical observations

  • Mass malicious commits pushed to thousands of GitHub repositories during a compressed window on 18 May 2026.
  • Injected GitHub Actions workflows containing a base64-decoded bash payload executed in CI, used to harvest secrets and exfiltrate them to attacker infrastructure.
  • At least one concrete infrastructure observable: the exfiltration/C2 endpoint at 216[.]126[.]225[.]129 on port :8443 (reported across all primary sources; a :8080 live-ingest observation is single-source and unverified — see IOC table), tagged with the campaign string megalodon.
  • Two payload variants: a mass variant (workflow named SysDiag, triggers on every push/PR) and a targeted variant (workflow named Optimize-Build, dormant workflow_dispatch trigger fired on demand).
  • Confirmed downstream package compromise: @tiledesk/tiledesk-server 2.18.6–2.18.12.

What is confirmed exposed

CI environment variables and secrets; cloud credentials (AWS / GCP / Azure, including instance-metadata and IMDS paths); SSH private keys; Docker, .npmrc, .netrc, Kubernetes, Vault, and Terraform credentials; source-embedded secrets across a 30-plus pattern regex sweep; and — most consequentially — GitHub Actions OIDC tokens (ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN) plus GITHUB_TOKEN, GitLab, and Bitbucket tokens. (The harvesting capability is established from payload analysis; the valid-credential initial-access mechanism is SafeDep’s stated hypothesis — see Part 2 § 01.)

Claimed or single-source (treat cautiously)

  • Attribution to TeamPCP. Some reporting (e.g. Rescana and downstream outlets) attributes Megalodon directly to TeamPCP. The researchers closest to the campaign (OX Security) assess it is more likely a copycat. Treat direct attribution as a low-confidence hypothesis.
  • Historical related infrastructure. A related endpoint, 144[.]172[.]116[.]48:8080, surfaced in adjacent reporting (first seen ~8 May 2026). Treat as Medium confidence / contextual.
  • Total data exfiltrated. Any figure for total volume stolen comes from single-vendor observation of the C2 and is not independently corroborated.

What is not yet known

  • Repository-by-repository scope. Counts are anchored to researcher observation (SafeDep: 5,561 repos / 5,718 commits; OX’s independent YAML-file count was lower, ~3,500 then ~2,900 as repos were cleaned). Exact blast radius should be treated carefully.
  • Package artifact hashes. No full tarball SHA-256 or SRI value for the compromised Tiledesk versions was obtained in collected evidence as of 4 June 2026 — a retrospective-detection gap.
  • Advisory tracking. No GHSA, OSV, npm advisory, or CVE identifier for Megalodon as of 4 June 2026.
  • Whether any portion of the stolen-credential corpus has already been used for follow-on intrusions beyond the original campaign window.
§ 03 · Organisational impact

What this means for your organisation.

If you operate GitHub repositories with CI/CD

You are a potentially directly affected party. Your immediate priorities are: hunting for the injected workflow signature across your repositories and forks; rotating GitHub PATs, deploy keys, Actions secrets, OIDC trust relationships, and repository-scoped tokens for any exposed build environment; rotating cloud credentials and invalidating temporary tokens reachable from CI runners; auditing recent workflow-file changes; and preserving CI runner and workflow-run logs before cleanup. See Part 2 for sequenced actions.

On the “is it TeamPCP?” question. Do not delay credential-rotation, workflow-audit, or egress-detection work on the basis of attribution. Whether the operator is TeamPCP or a copycat does not change the technique, the secrets at risk, or the response.

If you consume open-source packages (i.e. everyone)

You are affected by the broader supply-chain exposure in three ways:

  • Direct downstream poisoning. If you installed @tiledesk/tiledesk-server 2.18.6–2.18.12, you pulled a backdoored package from a legitimate, trusted publishing channel. Pin to the last clean release (2.18.5) or a verified clean version and rotate any secrets exposed to those build/runtime environments.
  • Indirect exposure via your dependencies’ pipelines. Any of your upstream maintainers whose repository was poisoned could republish compromised artifacts without realising it — exactly as happened to Tiledesk. The npm account was never touched; the source repository was.
  • Trust-chain abuse generally. Stolen CI/cloud secrets enable attackers to impersonate build pipelines and move laterally. Provenance and attestation badges do not help here — the parallel Mini Shai-Hulud wave produced validly SLSA-attested malicious packages, and the 1 June Miasma wave did the same. Provenance proves origin, not benignity.

What will probably happen next

In order of likelihood:

  • 1.Reuse of harvested CI/cloud/identity secrets to access additional repositories, cloud accounts, or deployment pipelines (secondary compromise).
  • 2.On-demand triggering of dormant Optimize-Build backdoors in repositories that were poisoned but not yet cleaned.
  • 3.Further downstream package poisoning where a poisoned repo feeds a published npm/PyPI package.
  • 4.Additional copycat campaigns using the open-sourced Shai-Hulud framework, given the public tooling and the contest incentive. (Already materialised: the 1 June “Miasma” wave against @redhat-cloud-services — see § 01 update.)
  • 5.(Lower probability, longer horizon) Targeted extortion of organisations whose proprietary code or secrets are confirmed stolen.
§ 04 · Threat actor profile

Threat actor context: TeamPCP and the Shai-Hulud enabler.

Read this first — the attribution in one paragraph. Megalodon (18 May 2026) is a separate, unattributed campaign that imitates TeamPCP’s tradecraft. TeamPCP is the confirmed actor behind the surrounding 2026 supply-chain campaigns (Trivy, TanStack, the GitHub breach, etc.) and the enabler of Megalodon — by open-sourcing its Shai-Hulud framework on 12 May. But the firm that analysed Megalodon’s code (OX Security) assesses it is most likely a copycat, not TeamPCP operating directly, and there are no direct links, shared IOCs, or claims of responsibility tying the two. Attribution is unconfirmed / Low confidence. This section profiles TeamPCP because it is the relevant context and enabler — not because it is confirmed to be the Megalodon operator. Reporting is not unanimous: some outlets (e.g. Rescana) attributed Megalodon directly to TeamPCP, which is precisely why this report does not assert it either way.

Behavioural profile

TeamPCP (tracked by Google Threat Intelligence Group as UNC6780; aliases include PCPcat, ShellForce, DeadCatx3) is a financially motivated cybercrime group that emerged in late 2025, initially exploiting cloud misconfigurations and a Next.js vulnerability to deploy a credential-theft and cryptomining botnet. Through 2026 it became one of the most prolific supply-chain actors on the internet. Its signature is indirect initial access: rather than attacking targets directly, it backdoors widely trusted developer and security tooling that organisations already run in their pipelines, then harvests the elevated secrets those pipelines hold.

Prior and adjacent campaigns

TeamPCP’s confirmed supply-chain victims through 2026 include Aqua Security’s Trivy scanner (CVE-2026-33634, which affected 1,000-plus organisations including Cisco), Checkmarx KICS, LiteLLM, the Telnyx SDK, TanStack (CVE-2026-45321, CVSS 9.6), Mistral AI, OpenAI, Grafana Labs, and GitHub itself (confirmed 20 May 2026, via a poisoned Nx Console VS Code extension — CVE-2026-48027, CVSS 9.3 — that was live on the VS Code Marketplace for ~18 minutes on 18 May and let the group exfiltrate ~3,800 internal repositories). Both CVE-2026-45321 and CVE-2026-48027 were added to CISA’s Known Exploited Vulnerabilities catalogue on 27 May 2026. The group has also announced partnerships with BreachForums, LAPSUS$ (a joint $95,000 listing for the GitHub data), and the ransomware crew VECT.

The Shai-Hulud framework — important context

The pivotal event for Megalodon is not a TeamPCP operation at all — it is TeamPCP’s public release of its tooling. On 12 May 2026 the group open-sourced the complete “Shai-Hulud” framework (the Shai-Hulud 3.0 worm) via two GitHub repositories under an MIT licence, and a competition was announced offering $1,000 in Monero for the biggest supply-chain attack conducted with it. This democratised industrial-scale pipeline poisoning to any actor who wanted it.

It is worth being precise about the causal claim here: OX Security noted at the time of the contest announcement that it had not yet observed attacks leveraging the open-sourced variant, and the first confirmed Shai-Hulud clones it detected were four npm packages on 17 May. Treating Megalodon (18 May) as the first major copycat campaign this release enabled is therefore a reasonable analytic inference from timing and tradecraft, not an established, source-confirmed fact — no source directly links Megalodon’s code to the leaked framework.

Since the leak, the observed copycat campaigns include Megalodon (18 May) and the Miasma wave against @redhat-cloud-services (1 June) — both assessed by their analysing vendors as TTP overlap with TeamPCP that cannot be firmly attributed, precisely because the public tooling lets any actor replicate the tradecraft. Neither is confirmed to be TeamPCP. (Miasma is covered as context in this report’s § 01 update; a dedicated Protos Labs report on it is in preparation.)

Attribution strength relative to Megalodon

Surface-level similarities exist — npm package poisoning, fake bot author identities, and anti-forensic hardcoded commit dates (Megalodon commits carry a forged date of 17 September 2001; TeamPCP’s leaked source used a forged date of 1 January 2099). But the researchers closest to Megalodon do not attribute it firmly to TeamPCP:

  • OX Security lead researcher Moshe Siman Tov Bustan assesses Megalodon is most likely “a different threat actor copying their behavior and style, but not much of the code itself,” noting no direct links, no shared identifying IOCs, and no claim of responsibility — “for now, the connection remains unconfirmed.”
  • Megalodon lacks the public encryption key TeamPCP required for entries in its own contest — evidence it is not even a contest submission.
  • The Mini Shai-Hulud activity has strong TeamPCP attribution; Megalodon has only circumstantial overlap, actor-adjacent tradecraft, and media characterisation.
  • Dissent: not all reporting agrees — Rescana and some downstream outlets attributed Megalodon directly to TeamPCP. No code-analysis evidence supports that direct attribution, but the split is why this report rates attribution Low rather than ruling either way.

Our assessment. Medium-low confidence that Megalodon is TeamPCP operating directly; high confidence that it is TeamPCP-inspired / Shai-Hulud-enabled. Collaboration or shared stolen-credential access between actors cannot be ruled out. For CISOs: defend against the technique, not the brand.

Root cause: infostealer-sourced access

The most operationally important finding about how Megalodon got in: Hudson Rock cross-referenced the GitHub usernames behind the malicious commits against its cybercrime-intelligence database and found over a third matched computers already infected by infostealers, concluding the access enabling the campaign was sourced from infostealer data. This makes developer-endpoint compromise, not a GitHub product vulnerability, the true root cause — and means the precondition for the next campaign already exists across tens of thousands of organisations.

Technical Details · Part 2 of 2 · For IR teams
Technical Details
Prioritised actions · Attack mechanics · Detection rules · IOCs · MITRE ATT&CK
§ 00 · Orientation

How to use this document.

This technical details document is structured for the security team for action and is built from Protos Labs investigation work plus open-source corroboration as of 4 June 2026.

This document covers:

  • How the attack works — the kill chain from credential acquisition to exfiltration and cascade.
  • Recommended actions — prioritised P1 / P2 / P3 remediation, owner-assigned.
  • Detection and hunt guidance — Splunk, Microsoft Sentinel (KQL), and Sigma content.
  • Indicators of compromise — defanged, with status and confidence.
  • MITRE ATT&CK mapping, evidence gaps, and references.
§ 01 · Attack mechanics

How the attack works — operational walkthrough.

The campaign is assessed as a direct Poisoned Pipeline Execution (d-PPE) attack — the operator uses stolen write access to push directly to the default branch, bypassing pull-request review entirely. This is distinct from indirect PPE (i-PPE), which requires tricking a maintainer into merging a malicious fork. SafeDep frames the valid-credential mechanism as its working hypothesis (its engineer Abhisek Datta: “Our hypothesis is that the campaign leveraged valid credentials to infect the repositories”); Hudson Rock’s subsequent infostealer analysis strongly corroborates it but it is not vendor-confirmed in the way the payload behaviour is.

  • 1.Credential acquisition (pre-attack). A corpus of valid GitHub credentials — overwhelmingly from infostealer logs (Hudson Rock: 33%+ username match) — provides write access via stolen PATs and deploy keys.
  • 2.Automated injection (d-PPE). Throwaway accounts with random 8-character usernames push directly to default branch under forged commit-author identities (build-bot, auto-ci, ci-bot, pipeline-bot) with routine-looking CI maintenance messages.
  • 3.Payload execution. Injected workflow contains set +e; echo "<base64>" | base64 -d | bash. Mass variant triggers on every push/PR; targeted variant fires on attacker-triggered workflow_dispatch. Decoded ~111-line bash script requests id-token: write and actions: read.
  • 4.Multi-phase credential harvest. Script collects CI env vars, /proc/*/environ, cloud credentials (AWS/GCP/Azure including IMDS), SSH/Docker/npmrc/netrc/Kubernetes/Vault/Terraform secrets, 30+ pattern regex sweep of source, and GitHub Actions OIDC token URL + token.
  • 5.Exfiltration. Data compressed and POSTed to 216[.]126[.]225[.]129, tagged megalodon.
  • 6.Cascade / propagation. Stolen tokens enable on-demand triggering of dormant backdoors and seeding of further repositories; where a poisoned repo feeds a published package, downstream users are compromised on install/build (the Tiledesk case).

Why the OIDC theft matters most. Organisations migrate to OIDC federation specifically to avoid storing long-lived cloud secrets in GitHub. Megalodon turns that best practice into an attack surface: by stealing the OIDC token request URL and token, the attacker can mint short-lived cloud tokens on their own machine and impersonate the pipeline. If a cloud role’s trust policy is scoped to the whole repository rather than a specific branch/workflow, a single rogue workflow can mint a valid production cloud token.

§ 02 · Response actions

Recommended actions.

Safety caution before revoking credentials

Shai-Hulud-family payloads have been observed arming a destructive failsafe (e.g. a gh-token-monitor daemon that runs rm -rf on token revocation, per analysis of the 11 May TanStack payload). This has not been confirmed in the Megalodon payload specifically, but as a precaution on any host suspected of a Shai-Hulud-family infection, isolate and image the affected system before revoking tokens — premature revocation may trigger the wipe. (The ~24-hour wiper TTL reported for the May payload is single-source and may differ across variants.)

Priority 1 — Immediate

#ActionWhyOwner
01Hunt all org repositories
GitHub code-search base64 prefix Q0I9Imh0dHA6Ly8yMTYu and workflow names SysDiag / Optimize-Build; locally grep -r "216\.126\.225\.129" .github/workflows/
Confirms direct exposure; identifies dormant backdoorsIT Security / DevOps
02Block egress to the C2
Block 216[.]126[.]225[.]129 (port 8443; include 8080 defensively) on all runners; review historical traffic
Severs direct infrastructure contactSecOps
03Audit recent workflow changes
Review .github/workflows/*.yml changes for base64 -d | bash, curl/wget, unexpected workflow_dispatch
Attack mechanism centred on malicious workflow injectionDevOps
04Rotate GitHub credentials
Rotate GitHub PATs, deploy keys, Actions secrets, OIDC trust relationships, repo-scoped tokens for any exposed build environment
Secret theft is the primary objectiveIAM / Platform
05Rotate cloud credentials
Rotate cloud credentials and invalidate temporary tokens accessible to CI runners; check for unexpected IAM role attachments minted via OIDC
Harvested cloud credentials enable secondary compromiseCloud Security
06Quarantine the poisoned package
Block/quarantine @tiledesk/tiledesk-server 2.18.6–2.18.12; pin to 2.18.5
Downstream package compromise confirmedPackage Security
07Audit OAuth grants & apps
Audit OAuth grants, GitHub App installations, PATs and deploy keys from last 30 days; revoke anything unaccounted for, especially contents: write / push scope
Valid-account misuse enabled trusted repo changesIT Security
08Preserve forensic logs
Preserve CI runner logs, workflow-run logs, package lockfiles, and build artifacts from 18–21 May before rotation or cleanup
Needed to validate exposure and support containmentForensics
09Validate branch protections
Validate repository branch protections, workflow approval requirements, and environment protection rules for sensitive builds
Reduces future trusted-workflow abuseAppSec
10Prepare stakeholder notification
Prepare user/stakeholder notification focused on exposure windows, affected secrets, and required rotations
Downstream consumers may need actionable noticeCommunications / Legal

Priority 2 — Next 30 days

  • Implement repository and workflow drift detection for CI definitions, with approval gates (CODEOWNERS on .github/workflows/) for sensitive workflow changes. This converts a trivial d-PPE into the much harder i-PPE.
  • Block direct pushes to default branches; require pull-request review and signed commits across the org.
  • Reduce long-lived secrets in CI — migrate from broad PATs to fine-grained PATs or GitHub Apps; prefer short-lived, least-privilege credentials with strong audience restrictions.
  • Re-issue any npm tokens invalidated in the 19 May platform reset, and adopt npm Trusted Publishing (OIDC) over long-lived publish tokens. Note the limit, though: the 1 June Miasma wave abused Trusted Publishing’s OIDC path directly — so OIDC migration must be paired with tight trust-policy scoping (below), not treated as a complete fix on its own.
  • Scope OIDC tightly. Use strict trust-policy condition keys (e.g. sub restricted to repo:org/name:ref:refs/heads/main) so a rogue workflow on a non-release branch cannot mint production cloud tokens. Audit every workflow requesting id-token: write.
  • Restrict runner egress (allow-listing) and IMDS access on self-hosted runners; pin third-party actions to commit SHAs, not mutable tags.
  • Expand dependency-provenance checks and package-intake controls for npm and PyPI.
  • Added 6 June (Phantom Gyp): also monitor for unexpected binding.gyp files and node-gyp invocations at install — the 3 June wave executes without touching package.json scripts, evading preinstall/postinstall-only controls.

Priority 3 — Strategic improvements

  • Treat developer endpoints as part of the supply chain. The root cause was infostealer-infected developer machines. Invest in EDR on developer endpoints, phishing-resistant auth, and continuous monitoring of your domains against infostealer-credential feeds.
  • Mature software supply-chain controls under SLSA-aligned practices, signed builds, and isolated runners for sensitive workloads — but do not treat provenance/attestation badges as install-time safety signals; they prove origin, not benignity.
  • Deploy workflow-file integrity monitoring and CI runtime/behavioural detection, since no CVE scanner will catch this class of attack.
  • Tabletop a CI/CD pipeline-poisoning and credential-cascade scenario, including a maintainer who unknowingly republishes from a poisoned source.
§ 03 · Detection & hunt

Detection and hunt guidance.

Behavioural patterns are far more durable than atomic indicators. The C2 IP and workflow names age quickly as the operator rotates infrastructure — prioritise behavioural rules.

Priority hunt areas

  • Workflow / commit injection — Direct pushes to default branches containing .github/workflows changes with base64 blobs, from forged bot identities or unfamiliar 8-character usernames; commits carrying forged 2001-09-17 date
  • Base64-decoded bash in runnersbase64 -d | bash execution inside GitHub Actions runners
  • CI secret access — Runner processes touching .npmrc, .netrc, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, AZURE_*, GOOGLE_APPLICATION_CREDENTIALS, or OIDC token request variables
  • Valid-account misuse — High-volume pushes, new PAT/deploy-key creation, or OAuth authorisations from a single actor/IP
  • node-gyp install execution (Phantom Gyp) — Unexpected binding.gyp files and node-gyp invocations at npm install time — the 3 June wave executes without touching package.json scripts
  • C2 egress — Outbound connections from CI runners to 216[.]126[.]225[.]129 (port 8443 confirmed; 8080 monitored defensively)
Splunk (SPL)
# Malicious workflow / commit push
index=github sourcetype=github:audit
(action=repo.push OR action=protected_branch.push)
(workflow OR ".github/workflows")
| search commit_message="*base64*"
  OR actor IN ("build-bot","auto-ci","ci-bot","pipeline-bot")

# Valid-account misuse
index=github sourcetype=github:audit
(action=oauth_authorization.create OR action=public_key.create OR action=repo.push)
| stats count by actor, src_ip, repo | where count > 5

# CI secret access
index=ci_logs ("GITHUB_TOKEN" OR ".npmrc" OR ".netrc"
  OR "AWS_SECRET_ACCESS_KEY" OR "AZURE_"
  OR "GOOGLE_APPLICATION_CREDENTIALS")

# Base64-decoded bash in runners
index=ci_runner_logs ("base64 -d | bash")

# C2 egress
index=proxy OR index=netflow
dest_ip="216.126.225.129" (dest_port=8443 OR dest_port=8080)
Microsoft Sentinel (KQL)
// Malicious workflow push
GitHubAuditLogs
| where Action has_any("repo.push","protected_branch.push")
| where RawData has ".github/workflows"
  or RawData has "base64"
  or Actor has_any ("build-bot","auto-ci","ci-bot","pipeline-bot")

// Valid-account misuse
CloudAppEvents
| where Application == "GitHub"
| where ActivityType in ("OAuth app authorized","SSH key added","Push")
| summarize Count=count() by AccountDisplayName, IPAddress, bin(TimeGenerated, 1h)
| where Count > 5

// CI secret access
AuditLogs
| where tostring(AdditionalDetails) has_any("GITHUB_TOKEN",".npmrc",".netrc","AWS_SECRET_ACCESS_KEY")

// Base64-decoded bash in runners
DeviceProcessEvents
| where ProcessCommandLine has "base64 -d" and ProcessCommandLine has "bash"

// C2 egress
DeviceNetworkEvents
| where RemoteIP == "216.126.225.129" and RemotePort in (8443, 8080)
Sigma skeletons
title: GitHub Workflow File Modified With Encoded Script
logsource:
  product: github
  category: audit
detection:
  selection:
    action|contains: 'push'
    raw|contains|all:
      - '.github/workflows'
      - 'base64'
  condition: selection
---
title: Base64 Decoded Bash In CI Runner
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    CommandLine|contains|all:
      - 'base64 -d'
      - 'bash'
  condition: selection
---
title: CI Runner Connection To Megalodon Infrastructure
logsource:
  product: network
  category: connection
detection:
  selection:
    DestinationIp: '216.126.225.129'
    DestinationPort:
      - 8443
      - 8080
  condition: selection

Monitoring tier order

  • Tier 1 (continuous): Runner egress to known infrastructure, base64-decoded bash in runners, sudden .github/workflows changes, unexpected node-gyp at install
  • Tier 2 (daily review): Valid-account misuse, PAT/deploy-key anomalies, unusual package-publication activity
  • Tier 3 (weekly review): Broad tradecraft-similarity hunting across CI/CD and dependency ecosystems; infostealer-credential exposure for org domains
§ 04 · Indicators of compromise

Indicators of compromise (defanged).

Do not re-fang or visit these from production endpoints. Reference for detection rules and blocklists only.

TypeIndicator (defanged)First seenStatus (6 Jun 2026)Confidence
IPv4 / C2216[.]126[.]225[.]129:844318 May 2026Reported active; campaign param string megalodonHigh
IPv4 / historical144[.]172[.]116[.]48:8080~8 May 2026Historical / related; single-sourceMedium
Code-search stringQ0I9Imh0dHA6Ly8yMTYu (base64 prefix)18 May 2026Used to locate infected workflow YAML filesHigh
Anchor commitacac5a985465...0381919 May 2026Tiledesk malicious commitHigh
Workflow namesSysDiag (mass), Optimize-Build (targeted/dormant)18 May 2026In the name: field of injected workflowsHigh
Forged author namesbuild-bot, auto-ci, ci-bot, pipeline-bot18 May 2026Forged commit-author identitiesHigh
Forged author emailsbuild-system@noreply[.]dev (2,878 commits); ci-bot@automated[.]dev (2,841 commits)18 May 2026Two identities SafeDep traced all 5,718 commits toHigh
Forged commit date2001-09-17 (hardcoded anti-forensic timestamp)18 May 2026Anti-forensic timestampMedium
Requested permissionsid-token: write, actions: read18 May 2026Anomalous for most workflowsMedium
Install vector (Phantom Gyp)Weaponised binding.gyp (157 bytes) -> node-gyp exec at install3 Jun 2026Evades preinstall/postinstall script monitors; hunt for unexpected binding.gyp + node-gyp invocationsHigh
Compromised package@tiledesk/tiledesk-server 2.18.6–2.18.1219–21 May 2026Reported compromised; quarantine recommended; last clean release: 2.18.5High
§ 05 · MITRE ATT&CK mapping

MITRE ATT&CK mapping.

Megalodon GitHub Actions campaign, 18 May 2026. ATT&CK version: v14. Only T1195.002 named uniformly across vendor reporting; remainder reflect analyst interpretation.

TacticTechniqueConfidenceEvidence
Initial AccessT1078 · Valid AccountsMediumStolen PATs/deploy keys (infostealer-sourced) enabled trusted repository changes
Initial Access / ImpactT1195.002 · Supply Chain CompromiseHighWorkflow injection upstream; npm propagation via Tiledesk downstream
ExecutionT1059.004 · Unix ShellHighBase64-decoded bash executed in the runner
Credential AccessT1552.001 · Credentials in FilesHighHarvest of AWS/GCP/Azure/SSH/Docker/K8s credential files
Credential AccessT1552.004 · Private KeysHighSSH and cloud private keys
CollectionT1119 · Automated CollectionHigh30+ pattern regex secret sweep across the workspace
Command & ControlT1071.001 · Web ProtocolsMediumHTTP(S) POST to reported C2
ExfiltrationT1041 · Exfiltration Over C2MediumCompressed POST to 216[.]126[.]225[.]129
Kill chain status

Operation reached Actions on Objectives — active credential and secret theft, confirmed downstream package poisoning. Persistence established through modified workflows and dormant workflow_dispatch triggers.

§ 06 · Evidence gaps & confidence assessment

Evidence gaps & confidence.

ConfidenceFindings
HighLarge-scale CI/CD supply-chain compromise 18 May 2026; workflow-injection mechanism; base64-decoded bash execution; secret-harvesting behaviour; C2 endpoint 216[.]126[.]225[.]129:8443; the two forged author emails and 5,718-commit split; downstream compromise of @tiledesk/tiledesk-server 2.18.6–2.18.12; infostealer-sourced initial access (Hudson Rock 331/978); TeamPCP Shai-Hulud 3.0 open-sourcing and $1,000 contest as context.
ModerateExact repository/commit counts (researcher-anchored); valid-credential initial access (SafeDep’s stated hypothesis, corroborated by Hudson Rock but not vendor-confirmed); whether the campaign is still actively ingesting data.
LowDirect attribution of Megalodon to TeamPCP (circumstantial overlap only; OX assesses copycat); the :8080 C2 port (single-source); whether Megalodon’s code derives from the leaked Shai-Hulud framework (timing inference only); total volume of data exfiltrated; the historical IOC 144[.]172[.]116[.]48.
§ 07 · References

Sources used.

Vendor research / Threat intelligence (Tier 1)

  • SafeDep — first documented the campaign; commit dataset (5,561 repos / 5,718 commits); d-PPE / Tiledesk cascade analysis
  • OX Security — independent YAML-file count; copycat-attribution assessment; Miasma (@redhat-cloud-services) analysis
  • Hudson Rock — infostealer root-cause analysis (331 of 978 usernames, 33%+)
  • StepSecurity — mass GitHub Actions secret-exfiltration analysis; 3 June Phantom Gyp / binding.gyp discovery
  • Ossprey — credential-harvester payload breakdown and ATT&CK mapping
  • Flashpoint — TeamPCP campaign-wave tracking through 2026
  • Socket — npm token-invalidation analysis; Mini Shai-Hulud / Miasma campaign tracking
  • Microsoft Security — @antv Mini Shai-Hulud writeup (640 packages removed; 61,274 tokens invalidated); 2 June Miasma preinstall-persistence analysis
  • Wiz / Orca / Aikido / Semgrep — 1 June Miasma @redhat-cloud-services analyses
  • Snyk / Wiz / Whiteintel / CybelAngel — 3 June Phantom Gyp (node-gyp) wave; ~49-day infostealer credential-trail analysis

News reporting (Tier 2)

The Register; Dark Reading; The Hacker News; SecurityWeek; Help Net Security; Hackread; TechRadar; BleepingComputer; Cybernews; Tech Times.

Government / Standards

NIST NVD and CISA KEV (Trivy CVE-2026-33634; TanStack CVE-2026-45321, CVSS 9.6; Nx Console CVE-2026-48027, CVSS 9.3 — latter two added to CISA KEV 27 May 2026); Red Hat RHSB-2026-006; MITRE ATT&CK v14; OWASP Top 10 CI/CD Security Risks.

Prepared by Protos Labs Threat Intelligence · TLP:CLEAR · v2 · 6 June 2026. Share freely within and between organisations to support sector defence.

Methodology: open-source vendor research (SafeDep, OX Security, Hudson Rock, StepSecurity, Ossprey, Flashpoint, Socket, Microsoft, Wiz), Tier-1/2 news, primary statements (GitHub, npm, Microsoft, Red Hat), and Protos Labs investigation work. Evidence collection closed 29 May 2026; timeline and § 01 update reflect developments through 6 June 2026. Update as further forensic findings are published or as attribution firms up.

EXPERIENCE PROTOS AI

Run your own deep-dive analysis with Protos AI.

Protos AI automates CTI investigations using agentic AI — from OSINT collection to structured analysis. Speak to our team to see it in action.

Request a Demo
Download Full Report

TeamPCP's Shai-Hulud Campaign & the Copycat Wave — incl. Megalodon Deep-Dive (Jun 2026)


Inquire Now
Inquire Now
Click Here to Download the Full Report
Oops! Something went wrong while submitting the form.
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Crafting Strong Foundations
Pushing the frontier of
Risk Intelligence
Request A Demo
Request A Demo
call Now
call Now
quick links
About UsUse Cases ResourcesPrivacy Policy
Get in touch
Singapore
JTC Launchpad
75 Ayer Rajah Crescent,
#02-06, Singapore 139953

USA
New York
(to be announced)
social media
LinkedinxYoutube