Megalodon Malware Compromises Thousands of GitHub Repositories Through CI/CD Backdoors


One of the Largest GitHub Supply Chain Attacks Ever Recorded Is Underway

As an independent cybersecurity blogger and part time penetration tester, software supply chain attacks are rapidly evolving beyond poisoned packages into direct attacks against the CI/CD infrastructure powering modern development itself.

Researchers are now tracking a massive automated campaign dubbed Megalodon, which compromised:

  • More than 5,500 GitHub repositories
  • Thousands of GitHub Actions workflows
  • CI/CD runners
  • Cloud deployment environments
  • Developer ecosystems.

According to SafeDep researchers, the attackers pushed:

  • 5,718 malicious commits
  • Across 5,561 repositories
  • Within approximately six hours.

The campaign injected malicious GitHub Actions workflows designed to:

  • Steal cloud credentials
  • Exfiltrate GitHub tokens
  • Harvest SSH keys
  • Extract CI/CD secrets
  • Abuse OIDC authentication workflows.

Researchers warn this campaign represents a major escalation in software supply chain warfare.

What Happened: Attackers Poisoned GitHub Actions Workflows at Massive Scale

Security researchers discovered the campaign after SafeDep’s Malysis engine detected:

  • Base64-encoded malicious payloads
  • Hidden inside GitHub Actions workflows.

The malware campaign reportedly abused:

  • Compromised GitHub tokens
  • Stolen deploy keys
  • OAuth permissions
  • CI/CD access tokens.

Researchers observed attackers impersonating automation bots using forged identities such as:

  • build-bot
  • auto-ci
  • ci-bot
  • pipeline-bot.

Malicious commit messages were intentionally disguised as legitimate CI updates including:

  • “ci: add build optimization step”
  • “build: improve ci performance”
  • “chore: optimize pipeline runtime”.

Researchers confirmed the campaign affected repositories across multiple ecosystems and organizations.

Why This Issue Is Critical: CI/CD Pipelines Are High-Privilege Attack Targets

Modern CI/CD pipelines frequently contain access to:

  • AWS credentials
  • Azure identities
  • GCP tokens
  • GitHub secrets
  • Docker registries
  • Kubernetes clusters
  • Terraform environments
  • npm publishing tokens.

When attackers compromise GitHub Actions workflows, they may gain direct access to:

  • Production infrastructure
  • Cloud deployment systems
  • Enterprise secrets
  • Package publishing environments
  • Downstream software supply chains.

Researchers warn this attack differs from traditional npm poisoning because the malware targets:

  • CI/CD infrastructure itself
  • Rather than only software packages.

That dramatically increases the potential blast radius.

How the Attack Worked: From Workflow Poisoning to Cloud Credential Theft

Stage 1 - Compromising Repository Access

Researchers believe attackers first obtained:

  • GitHub Personal Access Tokens (PATs)
  • OAuth grants
  • Deploy keys
  • Write access to repositories.

The attackers then pushed malicious commits directly into repositories using:

  • Fake automation accounts
  • Forged author identities
  • Randomized throwaway GitHub accounts.

Researchers noted many commits bypassed pull requests entirely, suggesting:

  • Direct repository write access
  • Or compromised maintainer credentials.

Stage 2 - GitHub Actions Workflow Poisoning

The attackers injected malicious GitHub Actions workflows including:

  • SysDiag
  • Optimize-Build.

Researchers explained the workflows contained:

  • Base64-encoded bash payloads
  • Hidden inside YAML pipeline definitions.

One variant added new workflows triggered automatically on:

  • push
  • pull_request_target events.

Another variant replaced legitimate workflows with dormant backdoors triggered through:

  • workflow_dispatch events
  • GitHub API execution.

Stage 3 - Credential Harvesting and Exfiltration

Once executed, the malicious workflow harvested:

  • Environment variables
  • GitHub Actions tokens
  • AWS credentials
  • Azure metadata credentials
  • GCP OAuth tokens
  • SSH private keys
  • Kubernetes configs
  • Vault tokens
  • Terraform credentials
  • npm tokens
  • Docker authentication files.

Researchers also confirmed the malware queried:

  • AWS IMDSv2
  • Azure IMDS
  • GCP metadata endpoints

to extract cloud instance credentials automatically.

The harvested data was reportedly exfiltrated to:

  • 216.126.225.129:8443.

Stage 4 - Long-Term Supply Chain Persistence

Researchers warn the campaign creates long-term persistence by stealing:

  • Long-lived IAM credentials
  • SSH keys
  • OIDC trust relationships
  • CI/CD secrets.

This allows attackers to:

  • Re-enter repositories later
  • Poison additional workflows
  • Publish malicious packages
  • Access cloud infrastructure
  • Expand into downstream ecosystems.

Why This Incident Matters for Cybersecurity: CI/CD Infrastructure Is the New Battleground

This campaign reinforces several major cybersecurity realities:

  • GitHub Actions workflows are executable code
  • CI/CD systems are now primary attack targets
  • Workflow files often receive weak security review
  • Cloud identity systems are deeply integrated into pipelines.

Researchers specifically warn many organizations incorrectly treat:

  • Workflow YAML files
  • As simple configuration rather than privileged executable infrastructure.

This creates massive hidden attack surfaces.

Common Risks Highlighted: Where Organisations Are Vulnerable

The campaign exposed several major weaknesses:

  • Weak GitHub token security
  • Excessive CI/CD permissions
  • Unsafe GitHub Actions workflows
  • Poor secrets segmentation
  • Weak workflow integrity monitoring
  • Excessive OIDC trust relationships.

Researchers additionally warn many organizations fail to:

  • Monitor workflow changes aggressively
  • Audit runner permissions continuously
  • Restrict id-token: write permissions
  • Review build-pipeline integrity properly.

Potential Impact: From Credential Theft to Cloud Infrastructure Compromise

The consequences may include:

  • Cloud compromise
  • Production environment access
  • Package poisoning
  • Software supply chain attacks
  • Enterprise lateral movement
  • Infrastructure persistence.

Researchers warn the malware may expose:

  • AWS IAM credentials
  • Azure managed identities
  • GCP service account access
  • GitHub publishing rights
  • Kubernetes cluster credentials.

This can rapidly escalate into:

  • Enterprise-wide compromise
  • Downstream software infections
  • Cross-cloud identity abuse.

What Organisations Should Do Now: Immediate Defensive Actions

Security teams should immediately:

  • Rotate all CI/CD secrets
  • Revoke exposed GitHub tokens
  • Audit workflow file integrity
  • Review GitHub Actions permissions
  • Remove malicious workflow changes
  • Restrict OIDC token issuance.

Researchers additionally recommend:

  • Blocking the identified C2 infrastructure
  • Auditing all .github/workflows/ files
  • Reviewing GitHub audit logs
  • Monitoring runner egress traffic.

Organizations should also:

  • Harden self-hosted runners
  • Restrict cloud metadata access
  • Enforce least privilege across CI/CD systems.

Detection and Monitoring Strategies: Identifying Megalodon Activity

To detect related attacks:

  • Monitor suspicious workflow changes
  • Detect base64-decoding bash payloads
  • Analyze abnormal GitHub Actions behavior
  • Review outbound runner traffic
  • Detect unusual OIDC requests
  • Monitor unauthorized workflow_dispatch triggers.

Researchers warn early indicators often include:

  • New workflow files
  • Unexpected id-token: write permissions
  • Suspicious CI optimization commit messages
  • Base64 execution chains inside YAML files.

The Role of Incident Response Planning: Preparing for CI/CD Supply Chain Attacks

Incident response teams should prepare for:

  • GitHub forensic analysis
  • Workflow integrity investigations
  • Cloud IAM compromise assessments
  • Token revocation workflows
  • CI runner compromise analysis.

Modern incident response increasingly requires:

  • Build pipeline visibility
  • Cloud identity telemetry
  • GitHub Actions monitoring
  • Workflow integrity auditing.

Penetration Testing Insight: Simulating Workflow Poisoning Attacks

From a red team perspective:

  • Test GitHub Actions permissions
  • Evaluate workflow integrity monitoring
  • Assess OIDC trust configurations
  • Simulate CI/CD secret harvesting
  • Validate runner isolation controls.

Modern penetration testing increasingly requires simulation of:

  • Workflow poisoning
  • CI/CD credential theft
  • Cloud identity abuse
  • GitHub Actions exploitation.

Expert Insight

James Knight, Senior Principal at Digital Warfare, said:
“CI/CD workflows now represent one of the highest-value targets in modern cybersecurity because they bridge developer environments directly into cloud infrastructure, production systems, and software supply chains.”

Pen Testing Tools and Tactics Summary

  • GitHub Actions security assessment
  • CI/CD workflow integrity testing
  • OIDC abuse simulation
  • Cloud credential exposure analysis
  • Runner isolation validation

Threat Intelligence Recommendations

Organisations should:

  • Monitor GitHub Actions workflow modifications continuously
  • Audit CI/CD trust relationships aggressively
  • Review cloud identity exposure regularly
  • Harden developer infrastructure immediately.

Threat visibility is critical because the Megalodon campaign is actively evolving at massive scale.

Supply Chain and Third Party Risk

This incident also highlights broader ecosystem concerns:

  • GitHub Actions workflows create inherited risk
  • Open-source CI/CD infrastructure is a high-value target
  • Cloud identity integration expands attack surfaces
  • Software supply chain attacks are becoming increasingly automated.

Modern cybersecurity increasingly depends on securing the software delivery pipeline itself.

Objective Snippets for Quick Reference

  • “5,718 malicious commits targeted 5,561 GitHub repositories.”
  • “The campaign injected malicious GitHub Actions workflows.”
  • “Attackers exfiltrated CI/CD secrets and cloud credentials.”
  • “The malware harvested AWS, GCP, Azure, SSH, Docker, and Kubernetes credentials.”

Call to Action

Cybersecurity professionals and organisations must evolve alongside these threats.

Simulate CI/CD compromise scenarios, validate workflow integrity protections, and challenge assumptions around GitHub trust, OIDC security, and cloud deployment pipeline exposure.

Stay informed, refine your security strategies, and ensure that GitHub repositories, CI/CD systems, and enterprise cloud infrastructure remain protected against increasingly sophisticated software supply chain attacks.

Comments

Post a Comment

Popular posts from this blog

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook A trusted remote access tool turned Trojan: today’s news reveals how attackers have hijacked ScreenConnect (now ConnectWise Control), weaponizing its legitimacy to bypass defenses and sustain access. As an independent blogger and penetration tester , this twist-from trusted utility to clandestine threat vector-highlights an urgent shift: defenders must now regard established tools as potential weapons, and our penetration testing methodologies must evolve accordingly. Attack Vector: Weaponized RMM Software Threat actors are misusing ScreenConnect installers-often digitally signed and trusted-to establish persistent access, using methods like Authenticode stuffing to embed malicious configuration while preserving legitimate signatures. Technical Abuse: CHAINVERB Downloader In several campaigns, the CHAINVERB backdoor leverages signed ScreenConnect binaries. It hides C2 instructions inside certificate fields, en...
Read more

Stolen Lawmaker Data, $25 million in losses: Hacker Charged

  Stolen Lawmaker Data, $25 million in losses: Hacker Charged As of June 25, 2025, the cybersecurity landscape is increasingly perilous, driven by state-sponsored cyber warfare, sophisticated ransomware operations, and vulnerabilities in supply chains. High-profile incidents, such as the 2023 hack of a U.S. health insurance marketplace by IntelBroker, impacting lawmakers and causing $25 million in losses, highlight the urgency of robust defenses. This blog explores these threats through the lens of penetration testing and ethical hacking, providing actionable insights for cybersecurity professionals and enthusiasts. State-Sponsored Cyber Warfare: A Global Escalation Nation-states like China, Russia, Iran, and North Korea have intensified cyber operations targeting critical infrastructure and private sectors. These actors employ advanced techniques for espionage and sabotage, posing significant risks to national and economic security. Penetration Testing Implications Advanced Persis...
Read more

Cyber Labyrinth: A Pen Tester’s Hunt Through 2025’s Latest Threats

  Cyber Labyrinth: A Pen Tester’s Hunt Through 2025’s Latest Threats Hey, cyber pathfinders! I’m just a tech wanderer, coding by day and moonlighting as a part-time penetration tester, blogging about my quests through the tangled maze of cybersecurity. My tools? A trusty laptop, Kali Linux, and a stubborn streak to outwit hackers before they strike. In May 2025, the digital world is a labyrinth—AI-driven cyberattacks, state-sponsored cyber warfare, ransomware ambushing retailers, and supply chain vulnerabilities lurking around every corner. As a solo ethical hacker, I’m hooked on navigating this maze, and today, I’m sharing a 2,000-word odyssey through the latest cybersecurity events twisting through the scene. Expect raw tales, practical pen testing tips, and my unfiltered take on the journey. Let’s venture into the labyrinth! The 2025 Cyber Labyrinth: A Hacker’s Maze The cybersecurity landscape in 2025 is a maze of traps and dead ends. Reuters reported on May 27, 2025, that Chine...
Read more