Megalodon Campaign: 5,561 GitHub Repos Hit by Malicious Workflows

Overview of the Megalodon GitHub Campaign

Security researchers have identified a massive, automated Supply Chain Attack dubbed “Megalodon” that targeted the GitHub ecosystem. According to The Hacker News, the campaign successfully pushed 5,718 malicious commits to 5,561 unique repositories within a condensed six-hour window. The scale and speed of the operation suggest a highly coordinated automation framework designed to exploit the trust inherent in open-source collaboration and automated CI/CD pipelines.

The primary objective of the Megalodon actors is the exfiltration of sensitive information, specifically environment variables and secrets stored within GitHub Actions. By targeting a wide net of repositories, the attackers aim to harvest credentials, API keys, and C2 access tokens that could facilitate further Lateral Movement into corporate or cloud environments.

Technical Analysis of Automated CI/CD Injection

The Megalodon campaign utilizes a sophisticated TTP involving the forgery of bot identities. The attackers created numerous throwaway accounts and configured them to mimic legitimate automation services. By using author names such as build-bot, auto-ci, ci-bot, and pipeline-bot, the actors successfully bypassed the initial manual scrutiny that a SOC analyst or repository maintainer might apply to incoming commits.

Once the forged identity is established, the attacker pushes a commit containing a modified GitHub Actions YAML file. This file includes a base64-encoded bash payload. When the workflow is triggered—often automatically by the push event itself—the payload decodes and executes, effectively performing an RCE within the context of the CI runner. This specific GitHub Actions workflow exfiltration attack focuses on capturing the output of the env command and piping it to an attacker-controlled endpoint.

How to Detect Malicious GitHub CI/CD Commits

For organizations managing multiple repositories, understanding how to detect malicious GitHub CI/CD commits is a priority. The Megalodon campaign’s IoC footprint is characterized by commits that modify files in the .github/workflows/ directory without corresponding changes to the codebase. Furthermore, these commits often originate from accounts with no prior history of contribution to the project. Monitoring SIEM logs for outbound connections from CI runners to unknown or non-standard IP addresses can also reveal active exfiltration attempts.

Impact on Software Supply Chain Integrity

The implications of the Megalodon campaign extend beyond simple credential theft. By successfully injecting code into thousands of repositories, the attackers demonstrate a capability to manipulate the software building process at scale. If these malicious commits are merged into primary branches, the resulting software artifacts could carry malicious payloads to downstream users, magnifying the impact of the initial compromise.

This campaign highlights a significant weakness in many automated workflows: the over-provisioning of permissions. Many GitHub Actions are granted broad access to repository secrets by default. When an attacker-controlled workflow runs, it inherits these permissions, allowing the Megalodon automated supply chain campaign to harvest high-value data with minimal resistance.

Mitigation and Actionable Recommendations

To defend against similar automated injection attacks, organizations must move away from implicit trust models in their CI/CD environments. Implementing Zero Trust principles within the development lifecycle is essential for long-term resilience.

• Enforce Branch Protection: Require signed commits and mandatory pull request reviews by at least two authorized maintainers before any code is merged into protected branches.
• Restrict Workflow Permissions: Follow the principle of least privilege by configuring GitHub Actions with contents: read permissions by default. Use OpenID Connect (OIDC) for cloud authentication to avoid storing long-lived secrets in repository variables.
• Audit Third-Party Actions: Regularly scan and audit all third-party actions used in workflows. Pinning actions to a specific commit SHA, rather than a tag or branch, prevents attackers from hijacking a dependency and pushing a malicious update.
• Monitor CI Runner Activity: Deploy EDR or similar monitoring agents on self-hosted runners to detect anomalous process execution or network traffic originating from the build environment.