Megalodon: Active GitHub Actions Supply Chain Attack Harvesting CI/CD Secrets at Scale
Executive Summary
An active supply chain campaign tracked as Megalodon is compromising thousands of GitHub repositories by injecting malicious workflow steps that exfiltrate credentials, secrets, and cloud credentials from CI/CD environments. This attack is ongoing right now. As of May 21, 2026, the attacker's ingest server shows 575,352 files stolen and 449 GB of exfiltrated data. Within a three-minute observation window alone, the count grew by 2,365 files and 12 GB. Ossprey Security is tracking the campaign infrastructure and recommends immediate detection sweeps on all repositories using GitHub Actions.
What Is Happening
Compromised repositories receive commits that add a malicious step labeled "Optimize-Build" to existing GitHub Actions workflow files. The step decodes a base64-encoded bash payload that performs three actions: harvests environment variables, cloud credentials, and CI/CD tokens from the runner; scans the repository workspace for hardcoded secrets across 30-plus file extensions; and exfiltrates everything to an attacker-controlled ingest server at 216.126.225.129. The payload targets over 30 credential formats including AWS keys, GitHub tokens, SSH keys, GCP service account credentials, Azure tokens, and HashiCorp Vault tokens.
The exfiltration scale is consistent with an automated campaign actively hitting thousands of repositories simultaneously.
Indicators of Compromise
Network
C2 IP:
216.126.225.129Active port:
8080(live C2)Hardcoded port:
8443(non-responsive)ASN: AS14956 (RouterHosting / Cloudzy, Ashburn VA)
Workflow Artifacts
Malicious step label:
Optimize-BuildBase64-encoded bash payload injected inline into workflow YAML
Associated commit email:
ci-bot@automated.dev
TTPs
MITRE ID | Technique | Application |
|---|---|---|
| Supply Chain Compromise: Compromise Software Supply Chain | Malicious commits injected into repositories to add the Optimize-Build workflow step |
| Command and Scripting Interpreter: Unix Shell | Base64-decoded bash payload executes directly in the GitHub Actions runner environment |
| Unsecured Credentials: Credentials In Files | Harvests AWS, GCP, Azure, SSH, npm, Docker, and Kubernetes credential files from the runner |
| Unsecured Credentials: Private Keys | Explicitly targets SSH private keys and cloud provider key files |
| Automated Collection | Regex-based secret detection sweeps 30-plus credential formats across workspace files |
| Exfiltration Over C2 Channel | Exfiltrates to |
| Application Layer Protocol: Web Protocols | Uses HTTP/HTTPS for C2 communication |
Detection
Run the following against all repositories with GitHub Actions workflows:
Review GitHub Actions run history for any workflows that executed an "Optimize-Build" step, particularly on unexpected branches or triggered by unfamiliar commits.
Immediate Remediation
If you find evidence of the Optimize-Build step in any workflow, treat the runner environment as fully compromised.
Rotate all secrets immediately - GitHub Actions secrets, AWS access keys, GCP service account keys, Azure credentials, SSH deploy keys, npm tokens, Docker registry credentials, and any API keys accessible during CI runs
Revoke OAuth apps with write access to affected repositories
Audit deploy keys across all affected repositories and remove any that cannot be accounted for
Review cloud IAM - check for unexpected role attachments or permissions grants made through runner identity (OIDC or instance profile)
Examine recent commits for unauthorized branch protection changes or additional workflow modifications beyond the Optimize-Build step
Check shell history on any self-hosted runners - the payload targets
.bash_historyand.zsh_historyScope the blast radius - the payload sweeps
/proc/[PID]/environon Linux, meaning any credentials held in memory by co-running processes on a shared runner are also at risk
For GitHub-hosted runners, the runner environment is ephemeral and not directly recoverable. Focus on credential rotation and access review.
