Over 5,500 GitHub Repositories Infected in 'Megalodon' Supply Chain Attack

Over 5,500 GitHub Repositories Infected in 'Megalodon' Supply Chain Attack

Briefly

"The campaign, dubbed Megalodon, relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows, SafeDep says, were injected through over 5,700 malicious commits pushed to the impacted repositories within a six-hour window, on May 18. According to the cybersecurity firm, the attackers deployed two payloads as part of the attack. One was designed to add a new workflow that would be triggered on every push and pull request, and another that replaced existing workflows with specific triggers, creating dormant backdoors."

"On infected machines, the malware would exfiltrate all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other types of secrets. Megalodon, SafeDep explains, was discovered after malicious versions of the Tiledesk package, an open source live chat and chatbot platform, were identified. The infected packages were published between May 19 and May 21."

""The same NPM account, eljohnny ([email protected]), published both the clean 2.18.5 and the compromised versions. The attacker never touched the NPM account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it," SafeDep says. The malicious commit that led to the infection was pushed on May 18, authored by 'build-bot'. SafeDep's investigation into the associated email address uncovered a total of 2,878 commits made on the same day, along with an additional 2,841 commits made via a second email address."