Megalodon Mass GitHub Actions Secret Exfiltration Across 5500 Public Repos
A significant security breach has occurred involving over 5,500 public GitHub repositories. Attackers exploited GitHub Actions to backdoor these repositories and exfiltrate sensitive credentials. The incident highlights vulnerabilities in CI/CD pipelines that many developers were unaware of.
- ▪5,561 GitHub repositories were compromised within six hours.
- ▪Attackers harvested cloud credentials, stole SSH keys, and minted OIDC tokens.
- ▪The attack was executed without altering the application code, focusing solely on the pipeline.
Opening excerpt (first ~120 words) tap to expand
Back to Blog a .is-arrow { transition: transform 0.2s ease-out; } a:hover .is-arrow.is-hover, a:focus .is-arrow.is-hover { transform: translateX(2.1rem); } a:hover .is-arrow, a:focus .is-arrow { transform: translateX(2.1rem); transition: transform 0.2s ease-out; } Threat IntelMegalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public RepositoriesA forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker never touched your application code, only your pipeline.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Stepsecurity.
Discussion
0 commentsMore from Stepsecurity
