Embedded Malicious Code Affecting @tiledesk/tiledesk-server package, versions =2.18.6=2.18.7=2.18.9=2.18.10=2.18.11=2.18.12
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-TILEDESKTILEDESKSERVER-16799219
- published22 May 2026
- disclosed21 May 2026
- creditSafeDep
Introduced: 21 May 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the @tiledesk/tiledesk-server package.
Overview
@tiledesk/tiledesk-server is a The Tiledesk server module
Affected versions of this package are vulnerable to Embedded Malicious Code part of the "Megalodon" campaign that orchestrated a massive supply-chain attack, pushing malicious commits to 5,561 GitHub repositories within a six-hour window. Using forged bot identities, attackers injected compromised GitHub Actions workflows containing base64-encoded bash payloads. These scripts were designed to exfiltrate sensitive CI secrets, cloud credentials, and SSH keys to a remote command-and-control server.
The campaign utilized two variants: a mass version triggered by routine repository actions and a targeted, dormant version. Notably, the targeted variant successfully poisoned the npm package @tiledesk/tiledesk-server when its legitimate maintainer unknowingly published updates from the compromised repository.