BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
Megalodon: 5,561 GitHub repos hit with malicious CI/CD workflows
Back to homeCiberataques

Megalodon: 5,561 GitHub repos hit with malicious CI/CD workflows

5,718 malicious commits pushed to 5,561 GitHub repos in six hours to steal CI/CD pipeline secrets.

  1. Home
  2. ›
  3. Ciberataques
  4. ›
  5. Megalodon: 5,561 GitHub repos hit with malicious CI/CD workflows
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

Megalodon executed an automated supply chain attack (compromising developer tooling rather than the final product) against the GitHub ecosystem at an unprecedented scale. In six hours, 5,718 malicious commits landed across 5,561 repositories.

Attack vector: GitHub Actions (GitHub's built-in CI/CD — Continuous Integration/Continuous Deployment automation that builds, tests, and deploys code). Attackers injected malicious workflows into `.github/workflows/` carrying bash payloads *base64-encoded* (obfuscated to bypass detection rules hunting for obvious strings). The goal: *exfiltrate* CI environment secrets — `GITHUB_TOKEN`, cloud credentials, API keys, package registry tokens.

To sign commits, they used throwaway accounts with forged identities: `build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`. Names engineered to blend into repos with active legitimate automation.

Why it matters

GitHub Actions secrets are the most valuable targets in the development pipeline: write-scoped `GITHUB_TOKEN`, AWS/GCP/Azure credentials, SSH keys, npm/PyPI tokens. A compromised workflow *silently exfiltrates* them on every pipeline run — no visible alerts to the team.

The 5,561-repo, 6-hour window confirms full automation. Most likely a bot scanning for repos with existing CI workflows and pushing commits wherever permissions allow — repos with branch protection disabled or loose collaborator settings.

This pattern is not new, but Megalodon industrializes it. If your CI secrets reach an attacker, the blast radius extends far beyond the repo: cloud infrastructure access, ability to publish malicious packages under your identity, lateral movement to other systems.

What to do

  • Audit `.github/workflows/` across all your repos: look for unrecognized files or recent modifications you did not initiate
  • Filter commit history for suspicious authors: `build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`
  • Rotate all CI secrets immediately if you find unauthorized commits: `GITHUB_TOKEN`, cloud credentials, API keys, registry tokens
  • Enable branch protection with mandatory PR review to block unauthorized direct commits to main branches
  • Add `CODEOWNERS` pointing to `.github/workflows/` to require explicit approval on any workflow changes
  • Check your org's audit log: `Settings → Security → Audit log`, filtering for `workflow` events in the campaign's timeframe

This campaign confirms CI/CD pipelines are the new primary attack surface. Cloud credentials stored as GitHub secrets are worth more than a shell on prod — and they're reachable by anyone who can push to your repo.

What to do

  • Audit `.github/workflows/` for unrecognized files or recent unauthorized modifications
  • Rotate all CI secrets if you spot commits from `build-bot` or similar forged identities
  • Enable branch protection with mandatory PR review on all main branches

Share this story

Help more people discover BBLabs News.

Megalodon: 5,561 GitHub repos hit with malicious CI/CD workflows
VerticalDownload image
LinkedInXWhatsApp

Interested in Ciberataques?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
Ciberataques4 jun 2026·2 min

Megalodon malware hits 5,500+ GitHub repos in 6 hours

Megalodon malware pushed malicious commits to 5,500+ GitHub repos in six hours, stealing developer credentials and secrets.

  • Audit recent GitHub commits for unauthorized changes or unknown accounts
  • Rotate all tokens and API keys with write access immediately
  • Enable GitHub secret scanning with push protection across your org
Gorka El Bochi Morillo
Leer artículo
Ciberataques3 jun 2026·2 min

JINX-0164 hits crypto firms with fake recruiter macOS malware

JINX-0164 uses fake recruiter lures to deploy custom macOS malware against crypto firms and steal digital assets.

Leer artículo
Ciberataques1 jun 2026·2 min

Dutch police arrest admins of bulletproof hosting used by Russian hackers

Dutch authorities arrested two admins of a bulletproof hosting service — infrastructure that ignores legal takedown requests — used by Russia-aligned threat actors.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi