VDB
GCVE-110-OSM-2026-4710
GCVE-110-OSM-2026-4710
Advisory PublishedCVSS 9.6/10
Tiledesk repository compromised in the Megalodon campaign (May 18-22, 2026), part of a coordinated attack that backdoored 5,561+ public repositories via injected GitHub Actions workflows. Primary npm-publishing repo; malicious code propagated downstream to @tiledesk/tiledesk-server versions 2.18.6-2.18.12.
Compromised via Megalodon campaign (May 2026): attacker with write access pushed malicious GitHub Actions workflow YAML directly to default branch, bypassing PR review (Direct Poisoned Pipeline Execution / d-PPE, MITRE T1195.002).
Malicious workflows observed:
- .github/workflows/ci.yml
- .github/workflows/docker-community-worker-push-latest.yml
- .github/workflows/SysDiag.yml
- .github/workflows/Optimize-Build.yml
Workflows execute a base64-encoded bash payload that harvests GitHub Actions secrets, cloud credentials, SSH keys, API tokens, and OIDC tokens from the runner environment, then exfiltrates them to C2 at https://216.126.225.129:8443/collect.
Forged git author identities: build-bot@github-ci.com, ci-pipeline@actions-bot.com (usernames: build-bot, ci-bot, auto-ci).
Anchor commit: acac5a9854650c4ae2883c4740bf87d34120c038.
Suspicious commit messages: "ci: add build optimization step", "chore: optimize pipeline runtime", "chore: update ci/cd pipeline".
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.