Megalodon is an automated campaign that pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour period. It used throwaway accounts and forged author identities such as build-bot, auto-ci, ci-bot, and pipeline-bot. The attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrated CI secrets and environment data. Harvested information included CI environment variables, process environment values, AWS credentials, Google Cloud access tokens, and instance role credentials obtained via metadata services. The malware also collected SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, shell history, and many types of API keys and tokens. It targeted GitHub Actions OIDC tokens, GITHUB_TOKEN, GitLab and Bitbucket CI/CD tokens, and configuration files like .env, credentials.json, and service-account.json. An impacted package included a Base64-encoded bash payload in a GitHub Actions workflow, with commits occurring on May 18, 2026.
"CI environment variables, /proc/*/environ, and PID 1 environment Amazon Web Services (AWS) credentials Google Cloud access tokens Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints SSH private keys Docker and Kubernetes configurations Vault tokens Terraform credentials Shell history API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns GitHub Actions OIDC token request URL and token GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens .env files, credentials.json, service-account.json, and other configuration files"
"The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance. The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys."
#github-actions #cicd-credential-theft #cloud-metadata-services #malware-exfiltration #supply-chain-attacks
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]