A recent automated malware campaign known as Megalodon has successfully infiltrated over 5,500 GitHub repositories, according to researchers from SafeDep. This incident, which occurred on a Monday, mirrors previous attacks by TeamPCP that affected approximately 3,800 repositories.
Details of the Campaign
The malware introduced through this campaign is designed to steal CI/CD credentials. If a repository owner merges the malicious commit, the malware executes within their CI/CD pipeline, allowing it to spread further. The malware is capable of stealing AWS secret keys, Google Cloud access tokens, and querying metadata for instance role credentials from cloud platforms, among other sensitive data.
Impact on Developers
As noted by Moshe Siman Tov Bustan, lead researcher at Ox Security, the implications of this attack are significant. He stated, “We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning.” The malware’s ability to exfiltrate sensitive tokens means that developers’ cloud identities could be impersonated, potentially compromising the security of companies using private repositories on GitHub.
Malware Distribution Method
The Megalodon malware was found hidden within a legitimate package called Tiledesk, an open-source live chat platform. Versions from 2.18.6 to 2.18.12 were backdoored, with the last clean version being 2.18.5. The attacker did not compromise the npm account but instead manipulated the GitHub repository, leading the maintainer to publish the compromised versions unknowingly.
Ongoing Concerns and Future Implications
While npm has taken steps to invalidate certain access tokens to mitigate risks, Bustan emphasized that the core issue remains unresolved. He remarked that malicious code continues to reach GitHub’s servers without adequate prevention measures. The attack highlights the urgent need for platforms like npm and GitHub to implement stronger defenses against the spread of malicious code.
As the landscape of supply chain attacks evolves, developers and organizations must remain vigilant and proactive in securing their environments against such threats.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
