Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
“Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225[.]129:8443,” SafeDep said in a report.
The complete list of data harvested by the malware is below –
- CI environment variables, /proc/*/environ, and PID 1 environment
- Amazon Web Services (AWS) credentials
- Google Cloud access tokens
- Instance role credentials obtained by querying AWS IMDSv2, Google Cloud metadata, and Microsoft Azure Instance Metadata Service (IMDS) endpoints
- SSH private keys
- Docker and Kubernetes configurations
- Vault tokens
- Terraform credentials
- Shell history
- API keys, database connection strings, JWTs, PEM private keys, and cloud tokens matching more than 30 secret regular expression patterns
- GitHub Actions OIDC token request URL and token
- GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens
- .env files, credentials.json, service-account.json, and other configuration files
One of the impacted packages is @tiledesk/tiledesk-server, which bundles a Base64-encoded bash payload within a GitHub Actions workflow file. In all, 5,718 commits were pushed against 5,561 distinct repositories on May 18, 2026, between 11:36 a.m. and 5:48 p.m. UTC.
“The attacker rotated through four author names (build-bot, auto-ci, ci-bot, pipeline-bot) and seven commit messages, all mimicking routine CI maintenance,” SafeDep said. “The attacker used throwaway GitHub accounts with random 8-character usernames (e.g., rkb8el9r, bhlru9nr, lo6wt4t6), set git config to forge the author identity, and pushed via compromised PATs or deploy keys.”
Two payload variants have been observed as part of the large-scale campaign: SysDiag, a mass variant which adds a new workflow that’s triggered on every push and pull request, and Optimize-Build, a targeted variant that activates only on workflow_dispatch, a GitHub Actions trigger that allows users to manually run a workflow on-demand. In the case of Tiledesk, the targeted approach is used to target CI/CD runners, and not when the npm package is installed.
“The tradeoff is reach: on: push would guarantee execution on every commit to master, hitting more targets without intervention,” SafeDep added. “Workflow_dispatch sacrifices that for operational security. With 5,700+ repos compromised, even a small fraction yielding a usable GITHUB_TOKEN gives the attacker enough targets for on-demand triggering.”
The result is that once a repository owner merges the commit, the malware executes inside their CI/CD pipelines and spreads further, enabling the theft of credentials and secrets at scale.
“We’ve…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
