Megalodon GitHub Actions Secret Exfiltration Campaign

Megalodon added malicious GitHub Actions workflows to thousands of public repositories to collect environment variables, cloud credentials, source-control secrets, and runner tokens.

Date:: 2026-05-24
Severity:: critical
Sources:: 1

#supply-chain#github-actions#ci-cd#credential-theft#workflow-injection

Executive Summary

StepSecurity reported Megalodon as a mass GitHub Actions secret-exfiltration campaign affecting 5,561 public repositories, with SafeDep publishing a dataset of 5,718 malicious commits. The campaign inserted disguised workflow files into repositories so GitHub Actions would execute attacker-controlled secret collection logic StepSecurity.

The payload collected environment variables, process environments, cloud credentials, SSH keys, Docker configuration, npm tokens, Kubernetes configs, Vault tokens, Terraform credentials, OIDC tokens, and source-code secrets before posting a compressed archive to 216[.]126[.]225[.]129:8443. Affected repositories should remove malicious workflows, audit direct commits, and rotate any credentials available to the workflow runs StepSecurity.

Key Facts

threat_type: "malicious GitHub Actions workflow injection"
ecosystem: "GitHub Actions"
registry: "GitHub repositories"
affected_packages:
  - "not package-specific; repository workflow compromise"
malicious_versions:
  - "5,718 malicious commits reported in SafeDep dataset cited by StepSecurity"
known_good_versions: []
fixed_or_safe_versions:
  - "remove malicious workflow commits and rotate exposed secrets"
execution_trigger: "GitHub Actions workflow execution after malicious workflow file is committed"
primary_impact: "mass CI/CD secret collection and exfiltration"
campaign_context: "May 2026 CI/CD supply-chain wave focused on direct runner execution and credential theft."
confidence: "medium"
canonical_source: "https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories"
last_verified: "2026-05-24"

Source Confidence & Evidence Mapping

confirmed: StepSecurity reports 5,561 affected repositories and 5,718 malicious commits in a SafeDep-published dataset StepSecurity.
confirmed: The campaign used malicious workflow files with names such as SysDiag and Optimize-Build to trigger GitHub Actions execution StepSecurity.
confirmed: The payload collected multiple classes of secrets and exfiltrated to 216[.]126[.]225[.]129:8443 StepSecurity.
unclear: The dataset was not independently fetched in this local pass, so per-repository remediation status remains a collection gap.

Attack Execution Flow

sequenceDiagram
    autonumber
    actor Attacker
    participant Repo as Victim Repository
    participant Actions as GitHub Actions
    participant Runner as Runner Environment
    participant C2 as Exfiltration Server

    Attacker->>Repo: Add forged commit with disguised workflow
    Repo->>Actions: Workflow is triggered
    Actions->>Runner: Runner executes malicious collection script
    Runner->>Runner: Harvest secrets and environment data
    Runner->>C2: POST compressed archive to 216.126.225.129:8443

Timeline

2026-05-22 StepSecurity publishes Megalodon public analysis, citing 5,561 affected repositories and 5,718 malicious commits StepSecurity.
2026-05-24 This local feed split creates a standalone Megalodon article instead of grouping it into a weekly roundup.

What Happened

Megalodon did not need to compromise a package registry. It targeted repository automation directly by adding workflow files disguised as normal CI optimization or diagnostics. Once the workflow ran, the runner exposed a high-value environment: repository tokens, cloud credentials, deployment secrets, and process-level secrets.

StepSecurity’s writeup emphasizes the directness of the attack. A workflow file committed to a repository can run trusted automation without any application-code dependency update, which makes repository history and workflow governance critical evidence sources StepSecurity.

Technical Analysis

Initial Access

The public report focuses on malicious commits and affected repository count; it does not prove one universal initial access mechanism for every repository. Defenders should review commit authorship, branch protection, token scopes, and whether malicious workflow commits bypassed normal review.

Package or Artifact Tampering

The artifact is the GitHub Actions workflow file itself, not a package release. Reported workflow names include SysDiag and Optimize-Build, which are plausible enough to blend into routine automation StepSecurity.

Execution Trigger

Execution occurs when GitHub Actions runs the malicious workflow. Trigger conditions depend on the committed workflow, but the important defender point is that the malicious code executes inside the repository’s trusted CI context.

Payload Behavior

The payload collects environment variables, process environments, cloud credentials, SSH keys, Docker configuration, npm tokens, Kubernetes configs, Vault tokens, Terraform credentials, OIDC tokens, and source-code secrets. It then compresses and posts collected data to the C2 endpoint StepSecurity.

Exfiltration / C2

The reported exfiltration endpoint is 216[.]126[.]225[.]129:8443/collect. Any runner egress to that host and port should be treated as a high-confidence incident StepSecurity.

Propagation

Megalodon propagated operationally through many repository commits rather than through a self-replicating package payload. StepSecurity reports thousands of affected repositories and malicious commits, making source-control search and dataset comparison the primary scoping methods.

Obfuscation or Evasion

The campaign used benign-looking workflow names and CI-maintenance framing. This is effective because many repositories accept workflow changes as routine build hygiene unless workflow file review is explicitly protected.

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Observed Behavior
Initial Access	T1195.002	Compromise Software Supply Chain	Malicious workflow files entered public repositories.
Execution	T1059.004	Unix Shell	Workflow scripts executed on GitHub Actions runners.
Credential Access	T1552	Unsecured Credentials	Payload collected environment variables, tokens, SSH keys, and cloud configs.
Exfiltration	T1041	Exfiltration Over C2 Channel	Collected secrets were posted to `216.126.225.129:8443`.
Defense Evasion	T1036	Masquerading	Workflow names resembled diagnostics and build optimization.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "GitHub Actions"
    - "GitHub repositories"
  packages: []
  versions:
    - "5,718 malicious commits reported by StepSecurity/SafeDep"
  repositories:
    - "5,561 public repositories reported by StepSecurity"
  ci_cd_systems:
    - "GitHub Actions"
  container_images: []
  developer_tools:
    - "GitHub Actions"
    - "repository workflow automation"
credentials_at_risk:
  - "GitHub tokens"
  - "GitHub Actions secrets"
  - "OIDC tokens"
  - "AWS credentials"
  - "Azure credentials"
  - "GCP credentials"
  - "SSH private keys"
  - "Docker registry credentials"
  - "npm tokens"
  - "Kubernetes configs"
  - "Vault tokens"
  - "Terraform credentials"
not_currently_known_to_affect:
  - "Private repositories not represented in the public dataset, unless local audit finds matching commits or workflow files."

Indicators of Compromise

package_versions: []
files:
  - ".github/workflows/SysDiag.yml"
  - ".github/workflows/Optimize-Build.yml"
hashes:
  - "1c9e803c80cc7fed000022d4c94f4b5bc2e90062"
  - "7f6120bb10c870b9fde146961a18e5bf0b3d4401"
  - "acac5a9854650c4ae2883c4740bf87d34120c038"
domains: []
urls:
  - "hxxps://216[.]126[.]225[.]129:8443/collect"
ips:
  - "216[.]126[.]225[.]129"
process_patterns:
  - "workflow collects environment variables and credential files"
network_patterns:
  - "HTTPS POST to 216[.]126[.]225[.]129:8443/collect"
provenance_signals:
  - "workflow files named SysDiag or Optimize-Build added by unexpected commits"
  - "commit authors such as build-bot@github-ci.com or ci-pipeline@actions-bot.com"

Detection and Hunting

lockfiles: []
filesystem:
  - "Search repositories for .github/workflows/SysDiag.yml and .github/workflows/Optimize-Build.yml."
  - "Search workflow contents for 216.126.225.129, archive creation, broad env collection, and credential file paths."
process:
  - "Review runner process telemetry for archive creation and broad filesystem credential collection."
network:
  - "Search runner egress logs for 216[.]126[.]225[.]129:8443."
github_audit:
  - "Search commit history for workflow additions by build-bot@github-ci.com or ci-pipeline@actions-bot.com."
  - "Compare repositories against the SafeDep dataset cited by StepSecurity."
ci_cd:
  - "Review all workflow runs created by newly added diagnostic or build optimization workflows."
registry: []
sigma_candidates:
  - "GitHub Actions Runner Posts Secret Archive To 216.126.225.129:8443"
yara_candidates:
  - "Workflow content collecting AWS, Docker, npm, Kubernetes, Vault, Terraform, SSH, and OIDC secrets"

Remediation Workflow

Immediate: Disable suspicious workflows, preserve workflow run logs, block 216[.]126[.]225[.]129:8443, and rotate all secrets available to affected runs.
Short-term: Remove malicious commits or revert workflow additions, audit branch protection and direct-push permissions, review repository tokens and OIDC trust policies, and compare repositories against the public dataset.
Long-term: Require code owner review for .github/workflows/**, restrict default GITHUB_TOKEN permissions, isolate runners, restrict egress, and alert on workflow files that enumerate broad credential paths.

Defensive Lessons

prevent: Workflow changes are production code changes. Protect .github/workflows/** with explicit ownership and review.
detect: CI/CD telemetry should include workflow file creation, runner egress, and archive creation from credential-heavy paths.
respond: Repository cleanup is not enough; credential rotation is mandatory when a malicious workflow ran.

Open Questions

Which repositories in the reported dataset have completed workflow removal and credential rotation?
What initial access methods placed the malicious commits across affected repositories?
Did any private repositories experience the same workflow injection but remain outside the public dataset?

Sources

StepSecurity: Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories - Role: PRIMARY_RESEARCH - Impact: Documents affected repository and commit counts, workflow names, payload collection scope, C2 IP, and hunting pivots.

Machine-Readable Event Profile

{
  "schema_version": "2.0",
  "event_id": "megalodon-github-actions-secret-exfiltration-2026-05-22",
  "event_name": "Megalodon GitHub Actions Secret Exfiltration Campaign",
  "publication_state": "publish_ready",
  "confidence": "medium",
  "attack_types": ["workflow injection", "CI/CD credential theft", "secret exfiltration"],
  "sources": {
    "direct": [],
    "primary_research": ["https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories"],
    "correlated": []
  },
  "affected_assets": {
    "ecosystems": ["GitHub Actions", "GitHub repositories"],
    "packages": [],
    "versions": ["5,718 malicious commits"],
    "repositories": ["5,561 public repositories"],
    "ci_cd_systems": ["GitHub Actions"],
    "container_images": [],
    "developer_tools": ["GitHub Actions", "repository workflow automation"],
    "credentials_at_risk": ["GitHub tokens", "GitHub Actions secrets", "OIDC tokens", "cloud credentials", "SSH private keys", "Docker registry credentials", "npm tokens", "Kubernetes configs", "Vault tokens", "Terraform credentials"]
  },
  "timeline": {
    "first_seen": "unknown",
    "malicious_publish_time": "unknown",
    "discovery_time": "2026-05-22",
    "removal_time": "mixed",
    "disclosure_time": "2026-05-22",
    "patch_or_fix_time": "unknown"
  },
  "artifact_analysis": {
    "malicious_artifacts": ["SysDiag workflow", "Optimize-Build workflow"],
    "execution_trigger": "GitHub Actions workflow run",
    "payload_behavior": ["environment collection", "credential file collection", "archive creation", "HTTPS exfiltration"]
  },
  "iocs": {
    "package_versions": [],
    "files": [".github/workflows/SysDiag.yml", ".github/workflows/Optimize-Build.yml"],
    "hashes": ["1c9e803c80cc7fed000022d4c94f4b5bc2e90062", "7f6120bb10c870b9fde146961a18e5bf0b3d4401", "acac5a9854650c4ae2883c4740bf87d34120c038"],
    "domains": [],
    "urls": ["https://216.126.225.129:8443/collect"],
    "ips": ["216.126.225.129"],
    "process_patterns": ["workflow collects environment variables and credential files"],
    "network_patterns": ["POST 216.126.225.129:8443/collect"]
  },
  "detection": {
    "lockfile_hunts": [],
    "filesystem_hunts": ["SysDiag.yml", "Optimize-Build.yml", "216.126.225.129"],
    "process_hunts": ["archive creation and broad credential collection in runner"],
    "network_hunts": ["216.126.225.129:8443"],
    "ci_cd_hunts": ["new suspicious workflows and unexpected bot-authored commits"],
    "registry_hunts": []
  },
  "open_questions": ["complete remediation status", "initial access methods", "private repository exposure"],
  "defender_takeaways": {
    "detection": "Monitor workflow additions and runner egress.",
    "hunting": "Search workflow files, commit authorship, and C2 egress.",
    "remediation": "Remove workflows and rotate every secret exposed to affected runs.",
    "prevention": "Require code owner review for GitHub workflow changes and restrict runner permissions."
  }
}