GitHub Attack Hits Thousands of Repos

An automated attack pushed malicious code to over 5,500 GitHub repositories, aiming to steal secrets from their CI/CD pipelines.

A large-scale, automated attack campaign dubbed "Megalodon" has compromised thousands of public GitHub repositories. Within a brief six-hour window, the attackers successfully pushed over 5,700 malicious commits to more than 5,500 separate projects. The operation relied on a network of disposable GitHub accounts to carry out the attack at scale. To evade initial detection, the commits were made using forged author names that mimicked legitimate automation tools, such as "ci-bot" and "pipeline-bot." The core of the attack involved injecting malicious workflows into the repositories' GitHub Actions configuration. These workflows contained hidden scripts designed to execute during the automated build and deployment process.

The primary goal of the Megalodon campaign was to steal sensitive credentials from the CI/CD (Continuous Integration/Continuous Deployment) environment. The malicious scripts were engineered to find and exfiltrate secrets like API keys, access tokens, and other private environment variables that are commonly used in automated workflows. If successful, this type of attack provides a powerful entry point into an organization's infrastructure. Stolen credentials could grant attackers access to cloud services, private databases, and other critical systems, leading to data breaches or further system compromise. This incident underscores the growing risk of supply chain attacks targeting automated development pipelines.