{"data":{"id":"6063c63b-a529-4740-9c77-ffa62bc10db0","title":"GitHub Actions abused by Megalodon attack to slip malicious commits into 5,500 repos","summary":"The Megalodon campaign used compromised credentials to inject malicious commits into over 5,500 GitHub repositories, modifying GitHub Actions workflows (automation tools that run code tasks) to steal sensitive secrets like cloud credentials and SSH keys (authentication files). The attack hid malicious code in base64-encoded bash payloads (encoded script commands) and used fake author names like \"build-bot\" to disguise itself as routine maintenance, with researchers detecting unexpected workflow runs as a warning sign.","solution":"SafeDep recommended checking GitHub Actions tabs for unexpected workflow_dispatch runs (manual workflow triggers), and if using OIDC federation (a cloud authentication method) for deployments, review cloud audit logs for token requests from unknown workflow runs. The researchers also shared a list of indicators of compromise (IOCs), including the attacker's command-and-control domain (216.126.225.129:8443), campaign signatures, forged author names and emails, commit messages, and names of compromised repositories to aid in detection and cleanup.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4177124/github-actions-abused-by-megalodon-attack-to-slip-malicious-commits-into-5500-repos.html","publishedAt":"2026-05-26T14:02:09.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["GitHub","Wiznet","Tiledesk","persian-tools"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-26T14:02:09.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}