Tiledesk GitHub org poisoned by Megalodon, npm followed

Tiledesk, an open-source LLM agent platform, was the most visible downstream casualty of the Megalodon mass-backdooring campaign that swept across 5,500 GitHub repositories on May 18, 2026. Researchers at SafeDep said the attacker pushed Megalodon's malicious workflow file into nine Tiledesk repositories, and the project's maintainer then unwittingly bundled the poisoned tree into seven new npm releases over the following three days.

Tiledesk's server is published to npm as @tiledesk/tiledesk-server and builds Docker images through repository workflows. According to SafeDep, the first Megalodon commit landed on Tiledesk/tiledesk-server at 12:50 UTC on May 18, forged as a build-bot author with a routine chore message. The diff replaced one workflow file with one named Optimize-Build, gated on workflow_dispatch, that decoded and ran the Megalodon credential collector. The payload is documented at [[megalodon-2026]].

Eight more Tiledesk repositories took the same commit within the hour. Every push went directly to the default branch with no pull request, consistent with a stolen personal access token or deploy key. SafeDep said the access appears to have originated on the Tiledesk side.

The maintainer kept shipping. Between May 19 and May 21, seven releases — 2.18.6 through 2.18.12 — were published from the poisoned tree, each tarball carrying the malicious workflow file. Because npm install does not execute workflow files, npm consumers were not poisoned at runtime. But anyone who cloned, forked, or rebuilt from the tarball was, and the workflow_dispatch trigger meant the attacker controlled the timing — the file could sit dormant in a fork between detection sweeps until the operator chose to fire it.

SafeDep's Malysis engine flagged the npm package during a routine scan, traced the workflow file back to GitHub, and used that finding to pivot to the broader Megalodon scope.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Repository Access

Transitive

Yes

• file.github/workflows/docker-community-worker-push-latest.yml
• ip216.126.225.129
• urlhttp://216.126.225.129:8443?h=megalodon&l=gh_dump
• techniqueworkflow_dispatch dormant backdoor in CI workflow file
• techniqueworkflow file bundled into npm tarball via missing .npmignore
• accountbuild-bot <build-system@noreply.dev> (forged commit author)
• Commitacac5a9854650c4ae2883c4740bf87d34120c038

• The commit pushed directly to the default branch with no pull request, consistent with a stolen PAT or deploy key holding write access. Tiledesk's branch protection state at the time of the push is not publicly documented.
• Workflow files in an npm tarball do not execute on npm install. The downstream consumer is exposed only if it clones, forks, or extracts the tarball and runs the workflow in its own GitHub Actions environment.
• Versions 2.18.6 through 2.18.12 were published from the poisoned tree between 2026-05-19 and 2026-05-21. 2.18.5 is the last clean release.
• The same Optimize-Build workflow shape, payload, and C2 (216.126.225.129:8443) appear in 5,560 other repositories in the same six-hour window. See [[megalodon-2026]].

• Megalodon: Mass GitHub Repository Backdooring via CI Workflows - SafeDepsafedep.io
• Megalodon: A New CI/CD Malware Campaign on GitHub - OX Securityox.security
• Tiledesk/tiledesk-server commit acac5a9 installing Optimize-Build workflowgithub.com