- SafeDep researchers uncovered Megalodon, a TeamPCP‑inspired campaign infecting over 5,500 GitHub repositories with an infostealer targeting CI/CD secrets
- The worm‑like attack spreads via malicious commits from a fake “build‑bot,” stealing cloud keys, SSH credentials, and DevOps configs, with npm packages like Tiledesk inadvertently published from poisoned repos
- Unlike TeamPCP’s forum “competition,” Megalodon appears to be a separate copycat actor motivated by recent supply‑chain attacks, posing risks to both maintainers and downstream users
It seems we’ve gotten our first TeamPCP copycat, and it’s called Megalodon.
Late last week, security researchers SafeDep reported finding more than 5,500 GitHub repositories infected with an infostealer that grabs all sorts of secrets from victim developers’ CI/CD pipeline.
In an in-depth report published on its blog, SafeDep explained that the attack starts with a submitted malicious commit. The threat actor, named “build-bot”, faked being a bot that submits automated commits. If these commits, carrying the infostealer, are accepted by the maintainer, they nab all sorts of secrets before propagating to other repos in classic worm fashion.
Among other things, Megalodon was observed grabbing AWS secret keys and Google Cloud access tokens, instance role credentials from AWS, GCP, and Azure, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and more.
Pushing to npm
In this stage of attack, the only people at risk are GitHub maintainers. However, if they push their repos to npm, which many do, end-users may get compromised, as well. SafeDep detailed how this scenario happened to the maintainers of Tiledesk:
“Versions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor. The same npm account, eljohnny (giovanni@tiledesk.com), published both the clean 2.18.5 and the compromised versions. The attacker never touched the npm account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it.”
In its writeup, The Register says that TeamPCP, the threat actor now known for targeting GitHub and npm, recently started a “supply chain attack competition” on Breach Forums, but stressed that Megalodon is likely not part of that competition.
Instead, this seems to be an entirely separate threat actor that was simply motivated by TeamPCP’s activities to start their own malicious campaign.
The full list of compromised repositories can be found on this link.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.