VDB

GCVE-110-OSM-2026-575

GCVE-110-OSM-2026-575
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 18, 2026
Tiledesk repository compromised in the Megalodon campaign (May 18-22, 2026), part of a coordinated attack that backdoored 5,561+ public repositories via injected GitHub Actions workflows. Docker proxy repo compromised; likely holds container registry credentials. Compromised via Megalodon campaign (May 2026): attacker with write access pushed malicious GitHub Actions workflow YAML directly to default branch, bypassing PR review (Direct Poisoned Pipeline Execution / d-PPE, MITRE T1195.002). Malicious workflows observed: - .github/workflows/ci.yml - .github/workflows/docker-community-worker-push-latest.yml - .github/workflows/SysDiag.yml - .github/workflows/Optimize-Build.yml Workflows execute a base64-encoded bash payload that harvests GitHub Actions secrets, cloud credentials, SSH keys, API tokens, and OIDC tokens from the runner environment, then exfiltrates them to C2 at https://216.126.225.129:8443/collect. Forged git author identities: build-bot@github-ci.com, ci-pipeline@actions-bot.com (usernames: build-bot, ci-bot, auto-ci). Anchor commit: acac5a9854650c4ae2883c4740bf87d34120c038. Suspicious commit messages: "ci: add build optimization step", "chore: optimize pipeline runtime", "chore: update ci/cd pipeline".

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@rexxtheproject/elaina-libsignalall (affected), all (affected)
unknownall (affected), all (affected)
unknownchangelog-utils-loggerall (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknownconsole-loggersall (affected), all (affected), all (affected), * (affected)

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›