Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI/CD secrets and environment variables. The attack targeted repositories across various languages and frameworks, exploiting the trust in automated CI/CD processes. The malicious commits were designed to blend in with legitimate automated commits, making detection difficult. The campaign highlights the growing threat of supply chain attacks via CI/CD pipelines, as attackers leverage the automation and permissions granted to CI/CD systems to compromise multiple repositories rapidly.
Developers must audit CI/CD workflows and restrict permissions to prevent automated supply chain attacks.