Securing the software supply chain requires continuous visibility, particularly as automated systems like CI/CD pipelines become central to development workflows. A recent security event reported by Dark Reading shows the importance of proactive credential management and workflow auditing across development platforms.
Thousands of GitHub repositories were recently modified to include unauthorized credential-harvesting code. In a May 21 report, security firm SafeDep identified this automated campaign, designated "Megalodon," which unfolded on May 18 during a six-hour window. During this brief period, the campaign pushed 5,718 unauthorized commits to 5,561 GitHub repositories.
An unauthorized party used dummy accounts and forged author identities to introduce GitHub Actions workflows designed to exfiltrate CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets to a command-and-control (C2) server.
The Megalodon campaign operates through two primary components. The first introduces a YAML file named "SysDiag" that creates a new workflow triggered by push or pull requests. A secondary, more targeted component replaces existing workflows with a "workflow-dispatch" trigger. SafeDep notes this functions as a dormant mechanism that generates no visible continuous integration (CI) runs, failed builds, or alerts in the Actions tab until manually activated via the GitHub API.
SafeDep’s Malysis engine first detected the activity in a bundled GitHub Actions workflow file for the npm package @tiledesk/[email protected], part of the open-source Tiledesk chatbot platform. Nine Tiledesk repositories were affected, inadvertently introducing the code to downstream users.
Security engineer Abhisek Datta including SafeDep indicated that the brief six-hour execution window likely points to the use of valid credentials and access the repositories, rather than a time-limited behavioral constraint. These credentials may have been gathered during previous supply chain incidents targeting developers, and the unauthorized party likely exhausted their list of credentials during this timeframe.
Further analysis by OX Security confirmed that approximately 3,500 GitHub repositories initially contained the associated YAML file. Security researcher Moshe Siman Tov Bustan noted that while the number of affected repositories decreased to around 2,900 the following week, nearly 83% remained exposed long after the initial event window closed.
The Megalodon activity aligns with a recent series of supply chain security events, occurring one day before a group known as TeamPCP claimed responsibility for a significant security incident involving unauthorized access to approximately 4,000 internal GitHub repositories.
Both Siman Tov Bustan and Datta observe technical similarities between Megalodon and TeamPCP’s previously analyzed Shai-Hulud worm, specifically the use of a hardcoded date of Sept. 17 and forged bot identities ([email protected] or [email protected]). However, researchers categorize these as surface-level similarities. There are currently no direct technical indicators, shared encryption keys, or specific claims of responsibility confirming collaboration. While TeamPCP formed an alliance with the extortion group Vect earlier this year, the exact parties behind Megalodon remain unconfirmed.
To safeguard systems against this campaign, we recommend organizations take the following immediate protective measures outlined by OX Security:
Block network connections to the identified C2 server (
216.126.225.129).Audit GitHub repositories for unauthorized GitHub Actions, unexpected YAML files (such as "SysDiag"), and unfamiliar workflow dispatch triggers.
Revoke and rotate all credentials, SSH keys, API keys, and other secrets if suspicious activity is identified.