Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
- Javier Conejo del Cerro
- hace 16 horas
- 5 Min. de lectura
The software supply chain is no longer being targeted occasionally.
It is now under continuous assault.
The Megalodon campaign demonstrates how attackers are evolving from isolated repository compromises into highly automated, industrial-scale operations capable of poisoning thousands of projects in a matter of hours. Within a six-hour window, attackers pushed more than 5,700 malicious commits into 5,561 GitHub repositories, weaponizing CI/CD workflows to harvest secrets, cloud credentials, SSH keys, infrastructure tokens, and source code data from developer pipelines worldwide.
The operation represents another escalation in the rapidly expanding ecosystem of software supply chain attacks linked to TeamPCP and related activity clusters. Rather than relying on traditional malware delivery, the attackers abused the trust embedded within automated development infrastructure itself.
The compromise did not begin with end users.
It began inside the pipelines developers trust every day.
Phase 1: The Bots Arrive
The attack started with what appeared to be ordinary automated maintenance activity.
The attackers rotated through forged identities using names such as:
build-bot
auto-ci
ci-bot
pipeline-bot
The associated GitHub accounts were disposable throwaway profiles with randomized usernames designed to appear operationally insignificant. At first glance, the commits resembled normal CI maintenance updates commonly seen across open-source projects.
This camouflage was intentional.
Modern repositories constantly receive automated commits, dependency updates, pipeline changes, and workflow modifications generated by bots. The attackers exploited this operational familiarity to reduce suspicion and maximize the likelihood that maintainers would merge the malicious commits without detailed review.
The fake identities became the perfect disguise for large-scale workflow poisoning.
Phase 2: Poisoning the Pipeline
The malicious commits injected weaponized GitHub Actions workflows directly into repositories.
Hidden inside the workflows were Base64-encoded bash payloads designed to silently execute inside CI/CD runners whenever the workflow triggered. The malware variants were engineered specifically for automated development environments where privileged secrets are routinely exposed during builds, deployments, and infrastructure operations.
Researchers identified two primary payload variants:
SysDiag — a mass-deployment variant triggered automatically on push and pull request events
Optimize-Build — a stealthier variant triggered manually through workflow_dispatch
The distinction reveals an important operational strategy.
The attackers balanced reach against stealth.
The mass variant maximized automatic execution across large numbers of repositories, while the targeted variant reduced visibility by activating only when manually triggered against carefully selected targets.
This demonstrates increasing operational maturity within supply chain-focused threat campaigns.
Phase 3: Harvesting the Developer Infrastructure
Once executed inside CI/CD pipelines, the malware aggressively harvested secrets from the build environment.
The stolen data included:
GitHub Actions tokens
Amazon Web Services (AWS) credentials
Google Cloud access tokens
Azure instance metadata credentials
SSH private keys
Docker configurations
Kubernetes credentials
Terraform secrets
Vault tokens
Database connection strings
JWTs and API keys
.env files
Service account credentials
Shell history
OIDC authentication tokens
The malware also queried cloud instance metadata services directly, including AWS IMDSv2, Google Cloud metadata endpoints, and Azure IMDS services.
This allowed the attackers to harvest temporary cloud credentials dynamically during workflow execution.
The attack transformed CI/CD runners into high-value intelligence collection systems.
In modern software environments, pipelines frequently contain privileged access to cloud infrastructure, deployment systems, production services, secrets managers, and container orchestration platforms. Compromising the CI environment therefore often grants broader access than compromising individual developer endpoints.
Phase 4: The Worm-Like Expansion
One of the most dangerous aspects of the Megalodon campaign was its self-propagating nature.
Compromised GitHub tokens, deploy keys, and CI secrets allowed the attackers to pivot into additional repositories, where the cycle repeated itself:
compromise repository
inject malicious workflow
steal new credentials
compromise additional repositories
This recursive propagation model mirrors worm behavior within software ecosystems.
The campaign reflects a broader transformation in supply chain attacks, where compromise becomes self-sustaining through interconnected developer trust relationships.
One poisoned repository becomes the gateway to the next.
The attack also demonstrates how modern CI/CD infrastructure unintentionally amplifies compromise at machine speed. Once a malicious workflow is merged, execution occurs automatically inside trusted infrastructure without requiring further user interaction.
Automation itself becomes the propagation engine.
Phase 5: The Expanding TeamPCP Ecosystem
Megalodon did not emerge in isolation.
The campaign forms part of a broader wave of supply chain compromises linked to TeamPCP and interconnected malware operations targeting open-source ecosystems. Previous victims associated with these campaigns include:
GitHub
TanStack
Grafana Labs
OpenAI
Mistral AI
The attacks increasingly resemble an interconnected infection chain where each compromise feeds the next.
Threat actors weaponize trusted tooling, steal credentials from development systems, pivot into adjacent ecosystems, and continuously expand operational reach across repositories, cloud infrastructure, CI pipelines, and package ecosystems.
Researchers also identified financially motivated behavior tied to extortion crews and criminal partnerships, alongside geopolitically motivated activity including destructive payload deployment targeting systems associated with Iran and Israel.
This convergence of financial crime, supply chain compromise, and geopolitical sabotage signals a dangerous evolution in attacker operations.
Phase 6: npm Fights Back
The fallout from Megalodon and related worm-like campaigns forced ecosystem-wide defensive measures.
npm responded by invalidating granular write-access tokens capable of bypassing two-factor authentication protections. The platform also urged maintainers to migrate toward Trusted Publishing workflows to reduce long-lived credential exposure.
However, researchers emphasized an important reality:
Resetting tokens slows the attackers. It does not solve the underlying structural problem.
As long as trusted repositories, CI systems, and automated workflows remain deeply interconnected, attackers will continue exploiting those trust relationships to spread laterally across ecosystems.
The compromise cycle continues because the software supply chain itself has become the attack surface.
Phase 7: Fake Trading Tools and Wallet Theft
Alongside the GitHub workflow campaign, researchers uncovered another connected operation involving fake Polymarket trading tools published to npm.
These malicious packages impersonated legitimate trading CLI applications while embedding postinstall scripts designed to steal Ethereum and Polygon private keys.
The attack relied heavily on social engineering.
Victims were shown realistic wallet onboarding prompts claiming that private keys would remain encrypted locally. In reality, the keys were transmitted in plaintext to attacker-controlled infrastructure hosted through Cloudflare Workers.
This illustrates how modern supply chain attacks increasingly combine:
trusted ecosystems
automated execution
credential theft
realistic developer tooling
social engineering
into highly scalable compromise operations.
Measures to Fend Off CI/CD Supply Chain Attacks
Continuously audit GitHub Actions workflows for unauthorized modifications.
Restrict workflow execution permissions wherever possible.
Enforce least privilege access for CI/CD tokens and deploy keys.
Rotate compromised credentials immediately after exposure.
Use short-lived credentials instead of persistent secrets.
Adopt Trusted Publishing mechanisms for package distribution.
Monitor repositories for suspicious bot-generated commits.
Restrict automatic workflow execution from external pull requests.
Implement behavioral monitoring for CI/CD runners.
Audit cloud metadata service access from build environments.
Isolate sensitive infrastructure secrets from pipeline execution contexts.
Conduct continuous supply chain security reviews across dependencies and repositories.
Conclusion
The Megalodon campaign demonstrates that software supply chain attacks are no longer isolated compromises.
They are becoming automated ecosystems of infection.
By weaponizing GitHub workflows, CI/CD pipelines, cloud credentials, and trusted automation processes, attackers transformed ordinary repositories into self-propagating compromise platforms capable of spreading at machine speed across thousands of projects.
The campaign also highlights a deeper shift in cybersecurity itself.
Attackers increasingly target trust relationships rather than software vulnerabilities alone. Every automated pipeline, bot account, package update, repository integration, and cloud deployment workflow becomes a potential expansion path.
In highly interconnected development ecosystems, compromise no longer behaves like a single breach event.
It behaves like a wave.
The Hacker News
Comentarios