Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

A supply chain attack, dubbed 'Megalodon', has infected over 5,500 GitHub repositories by injecting fake automated commits into GitHub Actions workflows. This allows attackers to steal credentials, CI secrets, keys, and tokens. The attack leverages a vulnerability in GitHub Actions workflows.

1. The attack injects fake automated commits into GitHub Actions workflows, utilizing a vulnerability in GitHub Actions.
2. Over 5,500 GitHub repositories have been compromised, with the attackers stealing credentials, CI secrets, keys, and tokens.
3. The attack chain involves injecting malicious code into GitHub Actions workflows, which are then executed, allowing the attackers to steal sensitive information.
4. Detection opportunities include monitoring for suspicious GitHub Actions workflow activity and identifying unauthorized commits to sensitive repositories.

T1210 - Exploitation of Remote Services
T1204 - User Execution of Authorized Software

Update GitHub Actions workflows to require approval for changes and monitor for suspicious activity in GitHub repositories.