The ecosystems differed, the targets differed, and the actors may have differed. The goal was the same: get malicious code to run where developers work, and walk away with credentials.
Campaign 1 — Megalodon: 5,561 GitHub Repositories Backdoored in Six Hours
On May 18, 2026, an automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories inside a six-hour window. SafeDep, which uncovered the campaign, traced it to two throwaway email addresses and four forged bot identities. Commit messages mimicked routine CI maintenance: "ci: add build optimization step". Each injected a GitHub Actions workflow with a base64-encoded bash payload that exfiltrated CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server.
The campaign deployed two variants: a mass variant triggered on every push, and a targeted Optimize-Build variant that replaces existing workflows and waits for a manual trigger — a dormant backdoor activated on demand. OX Security independently confirmed 3,500+ infected repositories.
Campaign 2 — Laravel-Lang: 700+ Package Versions Poisoned via Git Tag Rewriting
On May 22–23, 2026, attackers rewrote Git tags across four Laravel-Lang Composer packages across more than 700 historical versions. The payload fingerprints the machine, connects to a C2 domain, and fetches a PHP credential stealer. Targets included AWS/GCP/Azure keys, Vault tokens, SSH keys, browser credentials, password managers, and crypto wallets across all major platforms.
Campaign 3 — TrapDoor: Cross-Ecosystem Crypto Stealer Hits npm, PyPI, and Crates.io
Starting May 22, Socket researchers detected a coordinated campaign across three registries simultaneously: 34+ malicious packages and 384+ versions, all posing as developer or DeFi tooling. Execution paths were tailored per ecosystem: postinstall hooks on npm, import-time execution on PyPI, and build.rs at compile time on Crates.io.
The npm payload went further: it validated stolen credentials via AWS and GitHub APIs, attempted SSH lateral movement, and planted persistence through .cursorrules and CLAUDE.md — attempting to inject instructions into AI coding assistants to disguise exfiltration as a "security scan." The attacker also opened PRs against LangChain, browser-use, LlamaIndex, and Gemini CLI proposing to add those same files.
Campaign 4 — Miasma: Mini Shai-Hulud Returns, Hits 32 Red Hat npm Packages
On June 1, 2026, 96 versions across 32 @redhat-cloud-services npm packages were compromised. A Red Hat employee's GitHub account was taken over, malicious orphan commits were pushed, and GitHub's OIDC trusted publishing was abused to publish backdoored versions without any npm credentials. Each package fires a preinstall hook that sweeps for GitHub Actions secrets, AWS/GCP/Azure credentials, Vault tokens, Kubernetes tokens, SSH keys, and .env files.
Miasma is a direct derivative of Mini Shai-Hulud, the worm TeamPCP open-sourced in May alongside posts on BreachForums encouraging others to replicate it. It is the first confirmed major case of that open-sourcing producing enterprise-scale attacks.
The Common Thread
Four campaigns, six ecosystems, one objective. The attack surface changed with every campaign. The goal did not: extract credentials from where developers and pipelines operate.
None of these attacks required a zero-day. They found a developer account to compromise, a trusted package to backdoor, a build process to abuse, or a tag system to rewrite. In each case, the malicious component ran in an environment where credentials were reachable, before security teams had any visibility.
The question every affected team should be asking now is not only "did this package run in my environment?" but also, what could it reach if it did, and have those credentials been rotated?
Knowing where your secrets actually live across repositories, CI configurations, environment variables, and developer machines is what makes that question answerable in time to matter.
Dwayne McDaniel
