- SafeDep researchers discovered Megalodon, a TeamPCP-inspired campaign that infects more than 5,500 GitHub repositories with an information stealer targeting CI/CD secrets.
- The worm-like attack spreads via malicious commits from a fake “build bot”, which steals cloud keys, SSH credentials and DevOps configurations, with npm packages like Tiledesk inadvertently published from poisoned repositories.
- Unlike the “competition” on the TeamPCP forum, Megalodon appears to be an independent copycat actor motivated by recent supply chain attacks, posing risks to both maintainers and downstream users.
It looks like we have our first TeamPCP copycat and it’s called Megalodon.
Late last week, SafeDep security researchers reported finding more than 5,500 GitHub repositories infected with a data stealer that captures all sorts of CI/CD process secrets from victim developers.
In a detailed report published on its blog, SafeDep explained that the attack begins with a malicious confirmation sent. The threat actor, called “build-bot”, pretended to be a bot that sends automated confirmations. If the maintainer accepts these commits, which contain the information stealer, they capture all kinds of secrets before spreading to other repositories in classic worm style.
Among other things, Megalodon was observed obtaining AWS secret keys and Google Cloud access tokens, AWS, GCP, and Azure instance role credentials, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and more.
Pushing npm
At this stage of the attack, the only people at risk are GitHub maintainers. However, if they push their repositories to npm, which many do, end users can also be compromised. SafeDep detailed how this scenario happened to Tiledesk maintainers:
“Versions 2.18.6 (May 19) through 2.18.12 (May 21) have the backdoor. The same npm account, eljohnny ([email protected]), published both the clean 2.18.5 and the compromised version. The attacker never touched the npm account. They compromised the GitHub repository and the maintainer inadvertently published from the poisoned source.”
In its article, The Register says that TeamPCP, the threat actor now known for targeting GitHub and npm, recently started a “supply chain attack competition” on Breach Forums, but stressed that Megalodon is likely not part of that competition.
Instead, this appears to be a completely separate threat actor that was simply motivated by TeamPCP’s activities to start its own malicious campaign.
The full list of compromised repositories can be found at this link.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
