A campaign named Megalodon has compromised over five thousand repositories on GitHub by injecting malicious CI/CD workflows. Attackers exploit vulnerabilities in continuous integration and deployment pipelines to execute unauthorized code, steal credentials, or install backdoors. The scope affects open-source projects and organizations, amplifying the risk of propagation to connected systems.
How this threat operates in CI/CD pipelines 🦈
Attackers insert malicious actions into YAML files of GitHub Actions workflows. These actions run with elevated permissions, allowing them to extract tokens, environment variables, and stored SSH keys. Once inside, the code can modify the repository, deploy malware on integration servers, or exfiltrate sensitive data. The automated nature of pipelines makes the attack easy to overlook, as security alerts often ignore changes in CI/CD configurations.
The fun side of your code becoming a fish tank 🐠
If your repository was infected, at least now you have a solid excuse for not having uploaded that critical project update. Attackers not only steal credentials, they also save you the work of reviewing your pipeline because they already tore it apart. The best part is, while they fish for tokens, you can blame the digital shark instead of admitting you had hardcoded passwords. Welcome to the open-source aquarium.