Supply Chain Attacks, AI Poisoning, CI/CD Compromise, GitHub Actions, Megalodon, TrapDoor, Credential Harvesting, Cross-Ecosystem
Source Material: Phoenix Security | SecureReading | SafeDep | Technology: GitHub Actions, npm, PyPI, Crates[.]io, Cursor, Claude Code | Targeted Industries: Cryptocurrency, DeFi, Solana, Artificial Intelligence
Executive Summary
Software supply chain attacks are evolving from isolated incidents to persistent, systemic campaigns that likely represent a new normal in cybersecurity. Following ongoing reports of significant compromises, including the Mini Shai-Hulud campaign, which impacted GitHub and OpenAI, and similar campaigns such as PCPJack, adversaries have made it clear that supply chain pipeline attacks are here to stay.
Over the past week, the global software development ecosystem experienced two more distinct supply chain attacks, tracked as “Megalodon” and “TrapDoor.” These ongoing attacks demonstrate that adversaries are moving past simple dependency confusion, focusing instead on multi-ecosystem compromises, direct continuous integration/continuous delivery (CI/CD) poisoning, and prompt-injection against artificial intelligence (AI) coding assistants. These ongoing incidents highlight the importance of securing open-source pipelines, or risking exposure to immediate credential exfiltration, automated dormant backdoors, and downstream cloud infrastructure compromise.
Threat Overview and Strategic Impact
Megalodon and TrapDoor target core packages, automation, and AI tools modern developers rely on, emphasizing that software supply chain attacks are an ongoing and evolving reality.
Megalodon: CI/CD Poisoning
The Megalodon intrusion began on May 18, 2026, when an unidentified actor executed a Direct Poisoned Pipeline Execution (d-PPE) attack. The campaign compromised 5,561 GitHub repositories in just six hours. By injecting malicious workflow_dispatch triggers into CI/CD pipelines, attackers gained access to enterprise CI runners. This access allows for the exfiltration of CI environment variables, SSH keys, and AWS CLI configurations, granting privileged access to cloud environments. Megalodon’s “Optimize-Build” variant installs dormant backdoors to ensure persistent access without triggering standard repository alerts.
TrapDoor: Cross-Ecosystem AI Assistant Hijacking
TrapDoor pushes the supply chain threat directly to developer endpoints. This attack distributes credential-stealing malware through 34 malicious packages across the npm, PyPI, and Crates[.]io ecosystems. TrapDoor specifically targets developers in the crypto, DeFi, Solana, and AI communities with the intent to steal secrets, wallets, SSH keys, and cloud credentials.
The campaign utilizes a novel TTP of implanting hidden, zero-width Unicode characters within [.]cursorrules and CLAUDE[.]md files. These obfuscated instructions are designed to manipulate Large Language Model (LLM) prompts. Rather than analyzing code safely, the AI assistant is coerced into executing localized credential discovery commands, hunting for secrets under the guise of standard project auditing.
Security Hardening and Recommendations
To defend against the ongoing threats of the Megalodon and TrapDoor campaigns, organizations should review and implement the following suggestions to aid in securing their CI/CD pipelines and developer endpoints. We recommend implementing the following security hardening measures:
- Review CI/CD Configurations: Audit GitHub Actions and CI environments for unauthorized workflow_dispatch triggers or unusual runner activity. Programmatically review all workflows modified since May 18, 2026, hunting for unknown author emails (e.g., build-system[@]noreply[.]dev) or base64-encoded bash scripts. Revert any malicious modifications and rotate all secrets, OIDC tokens, and cloud credentials exposed to compromised repositories.
- TrapDoor Package & AI Context Auditing: Audit package[.]json, requirements[].txt, and Cargo[.]toml lockfiles for the 34 known malicious packages. Disable automatic package resolution in CI environments and mandate strict dependency pinning. Treat local project context files (e.g., [.]cursorrules and CLAUDE[.]md) as potential execution vectors. Development teams must deploy pre-commit hooks to detect and strip zero-width Unicode characters from these configuration files, and actively scan them for obfuscated instructions or suspicious “security scan” prompts.
- Endpoint & Network Defense: Enforce least-privilege access for all AI coding tools and monitor developer endpoints for unauthorized persistence mechanisms, such as new systemd services, modified Git hooks, or altered cron jobs. Implement strict egress filtering on self-hosted CI runners and ensure the Megalodon C2 IP (216.126.225[.]129, port 8443) is blocked at the perimeter. Finally, retroactively hunt for any historical connections to this infrastructure from CI runners.
Detection Strategy
Detecting this activity requires cross-platform visibility spanning cloud infrastructure, CI/CD telemetry, and endpoints. For Megalodon, focus on anomalous Git commit patterns. Flag commits from generic bot personas (e.g., build-bot) that modify [.]github/workflows/ directories, particularly those adding workflow_dispatch parameters or large encoded strings. Scrutinize network telemetry from self-hosted runners for HTTPS connections to unrecognized external IPs.
TrapDoor detection relies heavily on endpoint process telemetry. Alert on suspicious child processes during package installation. Look for Python interpreters spawning node -e to fetch payloads, or Rust build[.]rs scripts traversing user directories. Configure EDR to detect aggressive credential sweeps, specifically file read events targeting ~/.aws/credentials, ~/.ssh/id_rsa, and browser databases. Cloud monitoring tools must baseline standard AWS API access to catch TrapDoor’s token validation routines. Alert on anomalous sts:GetCallerIdentity or iam:ListUsers calls originating from non-corporate IPs immediately following local dependency installations.
How Deepwatch Protects Our Customers
Our Guardians continuously monitor customer environments for endpoint and cloud anomalies indicative of TrapDoor, Megalodon, and other supply chain attacks. We utilize dynamic risk scoring to identify credential harvesting, unauthorized file modifications, and post-exploitation persistence. By correlating endpoint telemetry, cloud logs, and network egress data, Deepwatch is able to rapidly identify suspicious activity related to these campaigns.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Direct Poisoned Pipeline Execution (d-PPE): Search version control system (VCS) audit logs for unexpected additions of the workflow_dispatch parameter within established pipeline files. Focus on commits authored by generic service accounts (e.g., build-bot, auto-ci) or generic email domains (build-system[@]noreply[.]dev). Parse the YAML definitions for high-entropy strings, specifically searching for base64-encoded bash arrays used to bypass static string matching.
- Cross-Ecosystem Execution Anomalies: Analyze endpoint telemetry for execution chains where package managers spawn unauthorized child processes. For npm, track instances where node executes the trap-core.js payload. For Python, query EDR for Python interpreters unexpectedly spawning node -e to fetch external code. For Rust, baseline file access behavior for the cargo build command, alerting when it aggressively traverses user profile directories (e.g., ~/.sui/, ~/.aptos/).
- AI Assistant Prompt Injection: Implement static file analysis using grep or Python scripts to parse all [.]cursorrules and CLAUDE[.]md files for hidden prompt injections via zero-width Unicode characters (\u200B|\u200C|\u200D|\uFEFF). Concurrently, behavioral hunt for AI tooling processes (Cursor, Claude CLI) spawning unauthorized command-line shells (cmd.exe, /bin/bash) that execute local credential discovery commands.
- Live Cloud Credential Validation: Utilize AWS CloudTrail to search for rapid, consecutive API calls used for identity validation (sts:GetCallerIdentity, iam:ListUsers, ec2:DescribeRegions). Correlate this access key usage with the sourceIPAddress field. Alert on access keys utilized from unrecognized ASNs, VPS nodes, or commercial VPNs immediately following a package installation event on a developer’s workstation.
- Post-Exploitation Persistence: Monitor /etc/systemd/system/ and ~/.config/systemd/user/ for newly created .service files containing ExecStart directives pointing to obfuscated bash scripts. Track the execution of crontab -e by user contexts associated with software development. Finally, baseline the cryptographic hash values of standard organizational Git hooks (.git/hooks/), alerting on modifications that introduce network exfiltration commands like curl or wget.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- Unknown
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Supply Chain Compromise | T1195.001 | TrapDoor deploys 34 malicious packages; Megalodon compromises 5,561 repos. |
| Execution | Command and Scripting Interpreter | T1059.004 | Megalodon executes encoded bash scripts; TrapDoor utilizes node -e. |
| Persistence | Scheduled Task/Job: Cron | T1053.003 | trap-core.js generates unauthorized cron jobs in the local environment. |
| Persistence | Boot or Logon Autostart Execution | T1543.002 | TrapDoor generates hidden .service files in systemd. |
| Persistence | Event Triggered Execution | T1546.009 | Megalodon establishes backdoors mapped to workflow_dispatch triggers. |
| Defense Evasion | Obfuscated Files or Information | T1027.003 | TrapDoor injects zero-width Unicode characters into .cursorrules. |
| Credential Access | Credentials from Password Stores | T1555.004 | TrapDoor hunts for AWS credentials, SSH keys, and .env files. |
| Collection | Data from Local System | T1005 | TrapDoor targets local workstation data for Solana, Sui, and Aptos keystores. |
| Command and Control | Application Layer Protocol | T1071.001 | Exfiltration and payload fetching occur over standard HTTPS. |
| Lateral Movement | Remote Services: SSH | T1021.004 | The trap-core.js payload attempts to utilize stolen SSH keys. |
Vulnerabilities:
- These campaigns do not rely on standard CVEs. Megalodon exploits Direct Poisoned Pipeline Execution (d-PPE) flaws, where CI/CD platforms seamlessly execute attacker-controlled configurations implicitly trusted by the repository. TrapDoor abuses the implicit trust granted to package manager lifecycle hooks (e.g., postinstall, build[.]rs). It also exploits Command Injection via AI Prompt Manipulation, abusing LLM assistants that fail to sanitize non-printable Unicode characters within project configuration files.
Malware/Tool:
- Trap-Core Payload (trap-core.js): The primary operational engine of the TrapDoor npm compromise. A 1,149-line obfuscated JavaScript module that harvests credentials, actively validates AWS/GitHub tokens via API, and establishes persistence using systemd, cron, and Git hooks.
- TrapDoor PyPI & Rust Payloads: Python modules utilize a lightweight downloader (node -e) to fetch remote code from GitHub Pages. Rust packages utilize the build.rs compilation script to traverse file systems for blockchain keystores, encrypting them with a hardcoded XOR cipher (cargo-build-helper-2026).
- Megalodon Bash Payloads: Base64-encoded bash scripts injected into GitHub Actions YAML. The “SysDiag” variant executes on push/pull requests for mass credential theft. The “Optimize-Build” variant maps to workflow_dispatch to create a silent, API-triggered dormant backdoor.
Additional Sources
- Mashable: Megalodon cyberattack infects 5,500 GitHub repositories
- Cryptika: Megalodon Malware Compromised 5,500+ GitHub Repos
- Socket.dev: TrapDoor Crypto Stealer Supply Chain Attack
- RedSecureTech: TrapDoor Supply Chain Attack Hits npm PyPI Cratesio
- ITC PE Academy: Megalodon Attack Floods GitHub
- OG William: The Megalodon Breach: How TeamPCP Hijacked
- Prismor: Security Blog – Supply Chain Security
- AI Weekly: TrapDoor poisons npm, PyPI with AI config file attack
- Reddit: TrapDoor Supply Chain Campaign Targets npm, PyPI, and Crates.io
Share