The malware spreads by injecting fake automated commits into GitHub repositories. Once a repository owner merges the commit, the malware executes inside their CI/CD pipeline and propagates further.
Big thanks to SafeDep for uncovering this malicious campaign.
Over 5,000 GitHub repositories have allegedly been infected. Our analysis confirms 3,500+ repositories carrying an infected YAML file – and as this attack is ongoing, that number is expected to grow.
Immediate Actions:
Block network connections to the malware’s C2 server: 216[.]126[.]225[.]129
Revoke and rotate all credentials, SSH keys and sensitive API keys on the affected machine.
Audit GitHub repositories for the CI/CD infection, GitHUb actions and the relevant YAML files.
When searching for the beginning of the encoded Base64 payload (Q0I9Imh0dHA6Ly8yMTYu), we can see over 3,500 YAML files with the exact same CI/CD configuration, showing over 3,500 affected repositories.
You can use this link to search for infected repositories.
The malware spreads via fake GitHub pull requests. Each commit uses a hardcoded date (September 17, 2001) paired with a fake bot identity: ci-bot@automated.dev, or build-system@noreply.dev.
We’ve seen a similar behavior with TeamPCP’s self leaked source code, where the fake commit date was from January 2099.
The malware steals AWS configurations, access keys, profiles and regions by running the “aws configure list-profiles” command:
The malware has a Base64 encoded regex pattern, used to find secret keys on the machine.
After decoding, we can see the regex expression is targeting AWS, Slack, GitHub keys, PyPi, and npm, alongside other generic patterns.
The code also directly targets local environment variables, cloud configurations, Docker, Terraform, npm, PyPi, secrets, bash history, and more.
The same goes for GitHub actions, CI tokens and Bitbucket tokens.
The malware sends the stolen information to the C2 server 216[.]126[.]225[.]129 with the “megalodon” string as parameter.
The malware sends the information via a POST request to the remote server.
We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide.
Hacking GitHub wasn’t just a hack. It compromises the security of every company with a private repository hosted on the platform. Now threat actors are continuing the trend, exploiting simple security loopholes and human errors to spread malicious code at scale.
This isn’t something that’s going to stop soon unless companies like npm and GitHub take serious action against the spread of malicious code on their servers. This week npm put out a statement on their X account saying they “invalidated npm granular access tokens with write access that bypass 2FA.”
That could help a little with account hijacking, but it doesn’t solve the actual problem. Malicious code is still reaching their servers, and nothing is stopping it before it does.
If platforms continue allowing any type of code to be uploaded without serious vetting, the number of attacks will only increase. Malicious code should be treated the way harmful content is treated on social media – flagged, taken seriously, and removed before it ever reaches end users.
The post Megalodon: New CI/CD Malware Spreads Across GitHub, Infecting ~5,000+ Repositories appeared first on OX Security.