Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. The attack represents a significant escalation in supply chain threats targeting development environments.

Attack Methodology

The attackers employed sophisticated techniques to compromise repositories while maintaining plausible deniability. "Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443," SafeDep reported in their analysis.

The attackers used several tactics to make their malicious commits appear legitimate:

• Rotating through four author names that mimicked routine CI maintenance
• Creating throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6)
• Forging author identities through git configuration
• Pushing via compromised Personal Access Tokens (PATs) or deploy keys

Data Harvesting Scope

The malware was designed to extract a comprehensive range of sensitive information from compromised systems. The complete list of harvested data includes:

• CI environment variables
• /proc/*/environ contents
• PID 1 environment variables
• Amazon Web Services (AWS) credentials
• Google Cloud access tokens
• Instance role credentials from AWS IMDSv2, Google Cloud metadata, and Microsoft Azure IMDS endpoints
• SSH private keys
• Docker and Kubernetes configurations
• Vault tokens
• Terraform credentials
• Shell history files
• API keys, database connection strings, JWTs, PEM private keys
• Cloud tokens matching more than 30 secret regular expression patterns
• GitHub Actions OIDC token request URL and token
• GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
• .env files, credentials.json, service-account.json, and other configuration files

Payload Variants

Researchers identified two distinct payload variants in the Megalodon campaign:

1. SysDiag: A mass variant that adds a new workflow triggered on every push and pull request
2. Optimize-Build: A targeted variant that activates only on workflow_dispatch (manual triggering)

"The tradeoff is reach: on: push would guarantee execution on every commit to master, hitting more targets without intervention," SafeDep explained. "Workflow_dispatch sacrifices that for operational security. With 5,700+ repos compromised, even a small fraction yielding a usable GITHUB_TOKEN gives the attacker enough targets for on-demand triggering."

One notable example is the @tiledesk/tiledesk-server package, which used the targeted approach to compromise CI/CD runners without triggering when the npm package is installed.

Connection to TeamPCP Attacks

The Megalodon attack appears to be part of a broader campaign by the TeamPCP threat group, which has been systematically targeting the software supply chain. "We've entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning," said OX Security's Moshe Siman Tov Bustan. "What's coming next is an endless wave, a tsunami of cyber attacks on developers worldwide."

TeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools, creating a worm-like propagation pattern. "The group also appears to be financially motivated and has established partnerships with BreachForums and other extortion crews like LAPSUS$ and VECT," researchers noted. "What's more, the group seems to be geopolitically motivated as well, as evidenced by the deployment of wiper malware upon detecting machines located in Iran and Israel."

Industry Response

The widespread nature of these attacks has prompted significant responses from platform providers. "By burning every bypass-2FA token on the platform, npm cuts off the credentials the worm has already collected," explained application security firm Socket. "Maintainers issue new ones. The worm, still active in the wild, goes back to harvesting them. The reset buys breathing room. It does not close the underlying hole."

NPM has taken several measures to address the vulnerabilities:

• Invalidating granular access tokens with write access that bypass two-factor authentication (2FA)
• Urging users to switch to Trusted Publishing to reduce reliance on vulnerable tokens

Additional Threat Vectors

While Megalodon represents a large-scale attack, researchers have identified other concerning threat vectors. A throwaway account named "polymarketdev" published nine malicious npm packages impersonating Polymarket trading CLI tools within a 30-second window to steal victims' Ethereum/Polygon private keys via a postinstall hook.

"The attacker built a functional trading CLI around a credential theft operation," SafeDep reported. "Social engineering carries the attack: the postinstall prompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility."

The malicious packages include:

• polymarket-trading-cli
• polymarket-terminal
• polymarket-trade
• polymarket-auto-trade
• polymarket-copy-trading
• polymarket-bot
• polymarket-claude-code
• polymarket-ai-agent
• polymarket-trader

Practical Defense Strategies

For organizations and developers seeking to protect against these attacks, several strategies have proven effective:

1. Implement strict CI/CD security policies

   • Restrict workflow permissions to only what's necessary
   • Use GitHub's "read and write" permissions sparingly
   • Enable branch protection rules to require reviews before merging

2. Adopt secrets management best practices

   • Use encrypted secrets management systems rather than environment variables
   • Implement automatic secret rotation
   • Regularly audit repository permissions and access tokens

3. Enhance package verification

   • Use package signing when available
   • Monitor dependency changes and unusual activity
   • Implement SBOM (Software Bill of Materials) tracking

4. Leverage security tooling

   • Implement runtime protection for CI/CD pipelines
   • Use dependency scanning tools to detect compromised packages
   • Deploy code analysis tools that detect suspicious workflow patterns

Broader Implications

The Megalodon attack and related campaigns signal a fundamental shift in the threat landscape. As development becomes increasingly distributed and automated, attackers have found new vectors that can compromise entire ecosystems with a single successful breach.

"The interconnectivity of modern software development creates both opportunity and risk," security experts note. "While these attacks demonstrate significant sophistication, they also highlight the need for fundamentally new approaches to securing the software supply chain."

The ongoing nature of these attacks suggests that this is not a temporary threat but a persistent challenge that will require continuous innovation in security practices, tooling, and developer education.