Back to Intelligence

Megalodon GitHub Attack: Detecting and Removing Malicious CI/CD Workflows

SA
Security Arsenal Team
May 22, 2026
5 min read

Introduction

Between May 2026 reports, a massive automated campaign dubbed "Megalodon" has demonstrated the fragility of open-source supply chains. In a mere six-hour window, threat actors pushed 5,718 malicious commits to 5,561 distinct GitHub repositories. This wasn't a targeted spear-phishing campaign; it was a "spray and pray" operation leveraging automation and CI/CD abuse.

The attackers utilized throwaway GitHub accounts with forged author identities—specifically build-bot, auto-ci, ci-bot, and pipeline-bot—to inject malicious GitHub Actions workflows. These workflows contained obfuscated, base64-encoded bash scripts designed to exfiltrate CI/CD secrets (tokens, SSH keys, and environment variables). For defenders, this is a critical wake-up call: your CI/CD pipeline is no longer just a build tool; it is a prime attack surface. If you are running public repositories or even private repos with unverified contributor access, you need to assume compromise and hunt for these indicators immediately.

Technical Analysis

Affected Platform: GitHub (Specifically the GitHub Actions CI/CD service).

Attack Vector: Supply Chain Compromise via Poisoned Pipeline.

Exploitation Status: Confirmed Active Exploitation (In-the-wild).

Attack Chain Breakdown:

  1. Initial Access: The attacker creates throwaway accounts or compromises user credentials.
  2. Execution: The actor pushes a .github/workflows/*.yml file to the target repository.
  3. Obfuscation: The workflow run step contains a bash command that performs echo <base64_string> | base64 -d | bash. This bypasses static signature checks on the workflow file itself.
  4. Payload Execution: When the Actions runner triggers (on push, PR, or schedule), the decoded bash script executes.
  5. Objective: The script enumerates environment variables ($GITHUB_TOKEN, AWS_ACCESS_KEY_ID, etc.) and exfiltrates them via curl or wget to an attacker-controlled C2 server.

Key Indicators of Compromise (IOCs):

  • Committer Names: build-bot, auto-ci, ci-bot, pipeline-bot.
  • File Paths: .github/workflows/
  • Behavior: Base64 decoding within shell steps of YAML workflows.

Detection & Response

This threat is classified as a TECHNICAL THREAT. The following detection rules and scripts are designed to identify the Megalodon activity patterns in your environment.

Sigma Rules

YAML
---
title: Megalodon GitHub Attack - Suspicious Committer Accounts
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects pushes from GitHub accounts associated with the Megalodon campaign using forged bot identities.
references:
  - https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
author: Security Arsenal
date: 2026/05/10
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: github
  service: audit
detection:
  selection:
    action|startswith: 'push'
    actor:
      - 'build-bot'
      - 'auto-ci'
      - 'ci-bot'
      - 'pipeline-bot'
  condition: selection
falsepositives:
  - Legitimate internal bots using these specific names (unlikely for public repos)
level: high
---
title: Megalodon GitHub Attack - Base64 Encoded Bash in Workflow
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects GitHub Actions workflows containing base64 encoded bash execution, a common obfuscation technique in the Megalodon campaign.
references:
  - https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
author: Security Arsenal
date: 2026/05/10
tags:
  - attack.defense_evasion
  - attack.t1027
  - attack.execution
  - attack.t1059.004
logsource:
  product: github
  service: audit
detection:
  selection:
    action: 'create'
    content_type: 'workflow_file'
  selection_base64:
    content|contains:
      - 'base64 -d'
      - 'base64 --decode'
      - '|bash'
  condition: selection and selection_base64
falsepositives:
  - Legitimate encoding of small config strings (rare in bash pipelines)
level: medium

KQL (Microsoft Sentinel)

The following query hunts for the specific actor names and suspicious push events in GitHub Audit Logs ingested via Syslog or the GitHub connector.

KQL — Microsoft Sentinel / Defender
// Hunt for Megalodon Activity in GitHub Audit Logs
GitHubAudit
| where Action == "push"
| extend ActorName = tostring(Actor)
| where ActorName in ("build-bot", "auto-ci", "ci-bot", "pipeline-bot")
| project TimeGenerated, ActorName, RepoName = tostring(Repository), OperationDetails, RequestIp
| order by TimeGenerated desc

Velociraptor VQL

This artifact hunts for suspicious GitHub Actions runner processes on Linux-based self-hosted runners, specifically targeting the base64 decode TTP.

VQL — Velociraptor
-- Hunt for base64 decoding shells on CI runners
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name = 'bash' AND
  (CommandLine =~ 'base64.*-d' OR CommandLine =~ 'base64.*decode') AND
  (CommandLine =~ 'echo' OR CommandLine =~ 'curl' OR CommandLine =~ 'wget')

Remediation Script

This Bash script scans a local repository clone for the presence of malicious workflow definitions associated with the Megalodon TTPs.

Bash / Shell
#!/bin/bash
# Megalodon Remediation Scanner
# Scans .github/workflows for base64 encoded payloads and suspicious keywords

WORKFLOW_DIR=".github/workflows"
FOUND=0

echo "[+] Scanning $WORKFLOW_DIR for Megalodon indicators..."

if [ -d "$WORKFLOW_DIR" ]; then
  # 1. Scan for base64 decode patterns combined with pipes
  echo "[+] Checking for base64 obfuscation..."
  grep -rn "base64.*-d" "$WORKFLOW_DIR" | while read -r line; do
    echo "[ALERT] Found base64 decode: $line"
    FOUND=1
  done

  # 2. Scan for specific suspicious committer names in recent git history (if git is available)
  if command -v git &> /dev/null; then
    echo "[+] Checking git history for forged bot identities..."
    git log --all --format="%an" | grep -E "(build-bot|auto-ci|ci-bot|pipeline-bot)" | sort -u | while read -r author; do
      echo "[ALERT] Found suspicious author: $author"
      FOUND=1
    done
  fi

  if [ "$FOUND" -eq 0 ]; then
    echo "[+] No immediate Megalodon indicators found."
  else
    echo "[!] CRITICAL: Malicious indicators detected. Review files immediately."
    echo "[!] Recommendation: Rotate all CI/CD secrets and tokens."
  fi
else
  echo "[-] No workflows directory found."
fi

Remediation

Immediate action is required to secure your software supply chain against the Megalodon campaign.

  1. Audit and Rotate Secrets: Assume all secrets (GH_TOKENs, AWS Keys, etc.) in repositories touched by these commits are compromised. Rotate them immediately.
  2. Review Repository Access: Revoke access for any unknown contributors or accounts with the names build-bot, auto-ci, ci-bot, or pipeline-bot.
  3. Branch Protection Rules: Enforce branch protection rules requiring "Require pull request reviews before merging" and "Require status checks to pass before merging". This prevents direct pushes to main branches.
  4. Workflow Pinning: Ensure your GitHub Actions use specific commit SHAs (e.g., uses: actions/checkout@v3@f43a0e5ff2bd) or immutable tags rather than floating tags (@main or @v3) to prevent supply chain compromise from third-party actions, although this specific attack targeted custom workflows.
  5. Scan Existing Repositories: Run the provided remediation script across all critical repositories to identify dormant malicious workflows.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemgithubmegalodoncicd-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Megalodon GitHub Attack: Detecting and Removing Malicious CI/CD Workflows | Security Arsenal | Security Arsenal