More than 5,500 GitHub repositories were infected with malware in a supply chain attack that relies on automated commits, security researchers warn.
The campaign, dubbed Megalodon, relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets.
The workflows, SafeDep says, were injected through over 5,700 malicious commits pushed to the impacted repositories within a six-hour window, on May 18.
According to the cybersecurity firm, the attackers deployed two payloads as part of the attack. One was designed to add a new workflow that would be triggered on every push and pull request, and another that replaced existing workflows with specific triggers, creating dormant backdoors.
On infected machines, the malware would exfiltrate all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other types of secrets.
