Megalodon Campaign Injects Malicious GitHub Actions Workflows into 5,561 Repositories
What Happened — Researchers uncovered an automated campaign, dubbed Megalodon, that pushed 5,718 malicious commits across 5,561 public GitHub repositories within a six‑hour window. The attackers created throwaway accounts and forged author identities (e.g., build‑bot, ci‑bot) to embed malicious GitHub Actions workflows containing base64‑encoded Bash payloads that harvest CI secrets and exfiltrate data.
Why It Matters for TPRM —
- Supply‑chain risk – Compromised CI pipelines can introduce backdoors into downstream software used by your vendors.
- Credential exposure – Extracted CI tokens, SSH keys, and API secrets can be leveraged to access other cloud resources.
- Compliance & reputation – Malicious code in open‑source components may trigger audit findings, regulatory penalties, and brand damage.
Who Is Affected — Technology SaaS platforms, software development firms, enterprises that rely on open‑source libraries, and any organization that integrates third‑party GitHub repositories into its build process.
Recommended Actions — Review all third‑party dependencies sourced from GitHub, enforce signed commits and workflow verification, rotate CI secrets, and monitor GitHub Actions logs for anomalous activity.
Technical Notes — Attack vector: malicious GitHub Actions workflows (MALWARE) injected via throwaway accounts; no known CVE. Payloads are base64‑encoded Bash scripts that enumerate environment variables, SSH keys, and other CI credentials for exfiltration.
Source: The Hacker News