Megalodon is a large automated supply chain attack that infected over 5,000 GitHub repositories by abusing GitHub Actions workflows to steal secrets such as AWS keys, GCP tokens, SSH private keys, and GitHub OIDC tokens. Hudson Rock and other researchers traced the campaign to infostealer-compromised accounts and linked the spread to the open-sourced Shai Hulud framework from TeamPCP. #Megalodon #GitHubActions #ShaiHulud #TeamPCP #HudsonRock
Keypoints
- Megalodon pushed thousands of malicious commits in six hours.
- The attack targeted GitHub Actions and poisoned CI/CD workflows.
- Attackers stole secrets including cloud keys, SSH keys, and OIDC tokens.
- Researchers linked the compromised accounts to infostealer infections.
- Shai Hulud being open-sourced helped enable the scale of the campaign.