⚠️ THREAT ALERT: Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
The campaign leverages a supply‑chain pivot in the GitHub Actions ecosystem by inserting malicious workflow files (e.g., `.github/workflows/ci.yml`) into target repositories via compromised personal access tokens (PATs) harvested from credential‑stuffing attacks against GitHub accounts. The injected workflow exploits the default privileges granted to GitHub‑Hosted runners, which run as root on Ubuntu‑based containers, enabling the attacker to execute arbitrary shell commands during the CI step. By embedding a base64‑encoded payload that downloads a second‑stage script from a hidden GitHub gist and subsequently compiles a cross‑platform Go backdoor, the actors obtain persistent footholds on both the CI environment and any downstream artifacts (Docker images, binaries) produced by the polluted pipeline. The technique aligns with known abuse patterns of CVE‑2022‑24765 (GitHub Actions pull‑request workflow execution) and CVE‑2023‑29155 (improper sanitization of workflow inputs), allowing the malicious workflow to run on forks and pull‑requests without explicit reviewer approval.
A detailed artifact analysis indicates the payload utilizes known evasion modules from the open‑source “SigStore” abuse chain, specifically leveraging insecure defaults in the `actions/setup-go` step to inject a malicious `go.mod` that pulls a compromised module from the public Go proxy, exploiting the lack of module signature verification (CVE‑2023‑22527). The backdoor communicates over HTTPS to a domain resolved via fast‑flux DNS, employing TLS fingerprint spoofing to blend with legitimate traffic. Additionally, the script sets up a cron job on the runner’s VM (`/etc/cron.d/gh-actions-persist`) to re‑inject the workflow if removed, and modifies the repository’s default branch protection rules to disable required status checks, ensuring subsequent pushes are automatically accepted.
Mitigation requires a multi‑layered response: (1) enforce the principle of least privilege on PATs by restricting scopes to `repo:read` where possible and mandating MFA for all accounts; (2) activate GitHub’s “Require approval for actions from unknown publishers” policy and enable the “Block public actions” setting for all repositories, which will prevent unvetted third‑party actions from executing. Organizations should audit existing workflows for any that invoke `actions/checkout@v2` without pinning a specific SHA, and replace them with version‑pinned, signed actions. Deploy endpoint detection on GitHub‑Hosted runner images to monitor for unauthorized `cron` entries and abnormal outbound connections, and integrate security‑oriented CI linting tools (e.g., `actionlint`, `safeguard`) into the pipeline to reject workflows containing suspicious patterns. Finally, rotate all compromised PATs, revoke any tokens issued before the incident window, and scan the affected 5,561 repos with GitHub’s secret scanning and Dependabot alerts to identify residual malicious dependencies.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments