DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/SUPPLY-CHAIN
DMZ INTEL DESK//FILED: 2026-06-05//01:49Z
CRITICAL#supply chain

Megalodon CI/CD Supply Chain Campaign Backdoors 5,561 GitHub Repos in Six Hours; Dormant workflow_dispatch Triggers Still Active

On May 18, 2026, an automated campaign dubbed Megalodon pushed 5,718 malicious commits to 5,561 distinct GitHub repositories within a six-hour window, injecting GitHub Actions workflows that exfiltrate AWS, GCP, and Azure credentials, SSH keys, OIDC tokens, Kubernetes configs, and over 30 secret regex patterns to a C2 at 216.126.225.129:8443. A targeted variant replaced existing workflows with dormant workflow_dispatch backdoors that produce no visible CI activity and can be silently triggered on demand via the GitHub API — meaning rotation alone does not remediate compromised repos. Hudson Rock confirmed the campaign was seeded entirely from infostealer-harvested GitHub PATs, and the npm package @tiledesk/tiledesk-server versions 2.18.6–2.18.12 carried the payload into the package registry without the maintainer's knowledge.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
megalodon · github-actions · supply-chain · cicd-poisoning · credential-theft · npm · teamPCP · infostealer · oidc-token-theft
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# SUPPLY CHAIN
2026-06-13
Solana FakeFix Campaign: 25 Malicious npm/PyPI Packages Targeting Web3 Developers via GitHub Issue Spam and Trojanized SDK Forks
# SUPPLY CHAIN
2026-06-09
TeamPCP Mini Shai-Hulud Supply Chain Worm Claims OpenAI, Mistral AI, TanStack — SLSA Build Level 3 Provenance Attestations Forged for First Time
# SUPPLY CHAIN
2026-06-04
Miasma Worm Backdoors 32 Red Hat @redhat-cloud-services npm Packages via Compromised Employee GitHub Account, Exfiltrates AWS/GCP/Azure Credentials
# SUPPLY CHAIN
2026-06-03
Miasma Supply Chain Campaign Backdoors 32 Red Hat @redhat-cloud-services npm Packages via Compromised CI/CD Pipeline