Security researchers have uncovered a large-scale supply chain attack dubbed “Megalodon” that injected malicious GitHub Actions workflows into more than 5,500 repositories.
The campaign was discovered by researchers at SafeDep, who identified 5,718 malicious commits pushed across 5,561 repositories within a roughly six-hour window on May 18, in an apparent attempt to steal secrets, credentials, and CI/CD tokens from developers and organizations.
According to the researchers, the attackers used forged bot identities and commit messages designed to resemble routine CI maintenance updates, making the malicious changes difficult to spot during normal development activity.
The malicious commits modified GitHub Actions workflow files to run hidden scripts designed to steal sensitive data from CI environments. According to researchers, the attackers targeted cloud credentials, API tokens, SSH keys, and other secrets used during automated build and deployment processes.
The campaign appears highly automated. Researchers observed the attackers rotating between multiple fake bot identities, throwaway GitHub accounts, and several different commit message templates intended to blend into standard CI/CD activity.
Researchers identified at least two malware variants used in the operation. One continuously exfiltrated secrets whenever workflows executed, while another remained dormant until manually triggered through GitHub’s API, potentially allowing attackers to activate the payloads at a later time.
By May 21, researchers monitoring the attackers’ infrastructure said the command-and-control server had already received hundreds of thousands of uploaded files and hundreds of gigabytes of stolen data.
The attack has raised concerns within the developer community because the malicious commits closely resembled legitimate automated workflow updates. Several security professionals noted that many repositories do not enforce signed commits or strict branch protection policies, allowing fake CI bot activity to blend into normal development operations.
SafeDep published a CSV containing the full list of impacted repositories and malicious commits to help organizations determine whether they were affected.
Security experts recommend that GitHub users immediately review recent workflow-related commits, rotate exposed secrets, enable branch protection rules, require signed commits, and audit CI/CD pipelines for unauthorized modifications.
Leave a Reply