Breaking News: The TeamPCP breach of GitHub was just the opening act. Now a new malware campaign called “Megalodon” is spreading through GitHub’s CI/CD infrastructure via fake automated commits. Over 5,000 GitHub repositories have allegedly been infected with CI/CD credential-stealing malware; our analysis confirms 3,500+ repositories already carrying an infected YAML file, and the number is rising.
Overview
The malware spreads by injecting fake automated commits into GitHub repositories. Once a repository owner merges the commit, the malware executes inside their CI/CD pipeline and propagates further.
Big thanks to SafeDep for uncovering this malicious campaign.
Impact
Over 5,000 GitHub repositories have allegedly been infected. Our analysis confirms 3,500+ repositories carrying an infected YAML file – and as this attack is ongoing, that number is expected to grow.
Recommended Actions
Immediate Actions:
- Block network connections to the malware’s C2 server: 216[.]126[.]225[.]129
- Revoke and rotate all credentials, SSH keys and sensitive API keys on the affected machine.
- Audit GitHub repositories for the CI/CD infection, GitHUb actions and the relevant YAML files.
Infection Analysis
When searching for the beginning of the encoded Base64 payload (Q0I9Imh0dHA6Ly8yMTYu), we can see over 3,500 YAML files with the exact same CI/CD configuration, showing over 3,500 affected repositories.
You can use this link to search for infected repositories.
Technical Analysis
The malware spreads via fake GitHub pull requests. Each commit uses a hardcoded date (September 17, 2001) paired with a fake bot identity: ci-bot@automated.dev, or build-system@noreply.dev.
We’ve seen a similar behavior with TeamPCP’s self leaked source code, where the fake commit date was from January 2099.
The malware steals AWS configurations, access keys, profiles and regions by running the “aws configure list-profiles” command:
The malware has a Base64 encoded regex pattern, used to find secret keys on the machine.
After decoding, we can see the regex expression is targeting AWS, Slack, GitHub keys, PyPi, and npm, alongside other generic patterns.
The code also directly targets local environment variables, cloud configurations, Docker, Terraform, npm, PyPi, secrets, bash history, and more.
The same goes for GitHub actions, CI tokens and Bitbucket tokens.
The malware sends the stolen information to the C2 server 216[.]126[.]225[.]129 with the “megalodon” string as parameter.
The malware sends the information via a POST request to the remote server.
Conclusion
We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide.
Hacking GitHub wasn’t just a hack. It compromises the security of every company with a private repository hosted on the platform. Now threat actors are continuing the trend, exploiting simple security loopholes and human errors to spread malicious code at scale.
This isn’t something that’s going to stop soon unless companies like npm and GitHub take serious action against the spread of malicious code on their servers. This week npm put out a statement on their X account saying they “invalidated npm granular access tokens with write access that bypass 2FA.”
That could help a little with account hijacking, but it doesn’t solve the actual problem. Malicious code is still reaching their servers, and nothing is stopping it before it does.
If platforms continue allowing any type of code to be uploaded without serious vetting, the number of attacks will only increase. Malicious code should be treated the way harmful content is treated on social media – flagged, taken seriously, and removed before it ever reaches end users.
