Megalodon Supply Chain Attack Infects 5,500+ GitHub Repositories

Overview of the Megalodon Campaign

A sophisticated and large-scale Supply Chain Attack dubbed “Megalodon” has successfully compromised over 5,500 GitHub repositories. According to SecurityWeek, researchers discovered that attackers used automated accounts to inject malicious code into GitHub Actions workflows. The primary objective of this campaign is the exfiltration of sensitive information, including environment variables, repository secrets, and continuous integration (CI) tokens.

By targeting the automation layer of the software development lifecycle, the Megalodon actors have demonstrated the growing risk posed by automated TTP patterns that bypass traditional manual code review processes. The scale of the infection suggests a highly automated infrastructure capable of identifying and modifying repositories at high velocity.

Technical Analysis of Workflow Injection

The attack relies on a specific TTP involving the modification of .github/workflows/ YAML files. Attackers leverage automated scripts—often masquerading as legitimate maintenance bots or contributors—to commit changes that add a hidden step to existing workflows. This injected step typically contains a base64-encoded command or a curl request designed to harvest the environment variables and secrets available to the runner.

Once a workflow is triggered by a standard event, such as a push or a pull request, the malicious step executes alongside legitimate build tasks. The captured secrets are then transmitted to a C2 server controlled by the attackers. Because these automated commits often appear benign or are integrated into large repositories with high commit volumes, they frequently evade detection by the SOC until a manual audit is conducted.

How to Detect Megalodon Supply Chain Attack Activity

Identifying this campaign requires a focused audit of repository history and workflow integrity. Security teams should look for specific IoC markers, such as commits from unfamiliar bot accounts or sudden changes to workflow files that occur without corresponding pull request discussions.

To effectively implement how to detect Megalodon supply chain attack indicators, defenders should use the GitHub CLI or API to scan for unauthorized changes in the .github/workflows directory. Particular attention should be paid to workflows that include outgoing network requests to unknown IP addresses or domains. Monitoring for anomalies in GitHub Actions usage—such as an unexpected spike in execution time or a high volume of failed builds—can also signal that a malicious injection is interfering with the standard CI/CD pipeline.

Securing CI/CD Pipelines Against Malicious Commits

A critical component of securing CI/CD pipelines against malicious commits is the enforcement of strict branch protection rules. Organizations should require signed commits and mandatory code reviews for any change affecting the .github directory. Furthermore, limiting the permissions of the GITHUB_TOKEN within workflows can reduce the potential impact. By setting the token to read-only by default, developers can ensure that even if a workflow is compromised, the attacker cannot easily push new code back into the repository or modify environment settings.

Mitigation and Long-term Defense

Adopting GitHub Actions workflow security best practices is the most effective way to prevent future infections. This includes the use of OpenID Connect (OIDC) for authentication with cloud providers, which eliminates the need for long-lived secrets to be stored directly in GitHub.

Immediate mitigation steps for affected organizations include:

• Audit Commit History: Search for unauthorized commits targeting YAML files in the workflow directory.
• Rotate Secrets: Any secret or API key accessible by a compromised workflow must be considered compromised and rotated immediately.
• Workflow Pinning: Use full SHA-256 hashes instead of tags for third-party actions to prevent actors from updating an action with malicious code.
• Network Restrictions: If using self-hosted runners, implement strict egress filtering to prevent the exfiltration of data to unauthorized C2 destinations.