VDB

GCVE-110-OSM-2026-4710

GCVE-110-OSM-2026-4710
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 18, 2026
Tiledesk repository compromised in the Megalodon campaign (May 18-22, 2026), part of a coordinated attack that backdoored 5,561+ public repositories via injected GitHub Actions workflows. Primary npm-publishing repo; malicious code propagated downstream to @tiledesk/tiledesk-server versions 2.18.6-2.18.12. Compromised via Megalodon campaign (May 2026): attacker with write access pushed malicious GitHub Actions workflow YAML directly to default branch, bypassing PR review (Direct Poisoned Pipeline Execution / d-PPE, MITRE T1195.002). Malicious workflows observed: - .github/workflows/ci.yml - .github/workflows/docker-community-worker-push-latest.yml - .github/workflows/SysDiag.yml - .github/workflows/Optimize-Build.yml Workflows execute a base64-encoded bash payload that harvests GitHub Actions secrets, cloud credentials, SSH keys, API tokens, and OIDC tokens from the runner environment, then exfiltrates them to C2 at https://216.126.225.129:8443/collect. Forged git author identities: build-bot@github-ci.com, ci-pipeline@actions-bot.com (usernames: build-bot, ci-bot, auto-ci). Anchor commit: acac5a9854650c4ae2883c4740bf87d34120c038. Suspicious commit messages: "ci: add build optimization step", "chore: optimize pipeline runtime", "chore: update ci/cd pipeline".

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›