
5,718 malicious commits pushed to 5,561 GitHub repos in six hours to steal CI/CD pipeline secrets.
Megalodon executed an automated supply chain attack (compromising developer tooling rather than the final product) against the GitHub ecosystem at an unprecedented scale. In six hours, 5,718 malicious commits landed across 5,561 repositories.
Attack vector: GitHub Actions (GitHub's built-in CI/CD — Continuous Integration/Continuous Deployment automation that builds, tests, and deploys code). Attackers injected malicious workflows into `.github/workflows/` carrying bash payloads *base64-encoded* (obfuscated to bypass detection rules hunting for obvious strings). The goal: *exfiltrate* CI environment secrets — `GITHUB_TOKEN`, cloud credentials, API keys, package registry tokens.
To sign commits, they used throwaway accounts with forged identities: `build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`. Names engineered to blend into repos with active legitimate automation.
GitHub Actions secrets are the most valuable targets in the development pipeline: write-scoped `GITHUB_TOKEN`, AWS/GCP/Azure credentials, SSH keys, npm/PyPI tokens. A compromised workflow *silently exfiltrates* them on every pipeline run — no visible alerts to the team.
The 5,561-repo, 6-hour window confirms full automation. Most likely a bot scanning for repos with existing CI workflows and pushing commits wherever permissions allow — repos with branch protection disabled or loose collaborator settings.
This pattern is not new, but Megalodon industrializes it. If your CI secrets reach an attacker, the blast radius extends far beyond the repo: cloud infrastructure access, ability to publish malicious packages under your identity, lateral movement to other systems.
This campaign confirms CI/CD pipelines are the new primary attack surface. Cloud credentials stored as GitHub secrets are worth more than a shell on prod — and they're reachable by anyone who can push to your repo.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles