- SafeDep researchers discovered Megalodon, a TeamPCP-inspired campaign infecting over 5,500 GitHub repositories with an information stealer targeting CI/CD secrets.
- The worm attack spreads via malicious commits from a fake “build bot”, stealing cloud keys, SSH credentials and DevOps configurations, with npm packages like Tiledesk inadvertently released from poisoned repositories.
- Unlike TeamPCP’s “competition” forum, Megalodon appears to be a separate copycat actor motivated by recent supply chain attacks, posing risks to both maintainers and downstream users.
It looks like we’ve gotten our first TeamPCP copycat, and it’s called Megalodon.
Late last week, security researchers SafeDep reported discovering more than 5,500 GitHub repositories infected with an information stealer that scrapes all kinds of secrets from victim developers’ CI/CD pipeline.
In a detailed report published on its blog, SafeDep explained that the attack begins with the submission of a malicious commit. The malicious actor, named “build-bot,” pretended to be a robot that submits automated commits. If these commits, containing the infostealer, are accepted by the maintainer, they collect all kinds of secrets before spreading to other repositories like a classic worm.
Among other things, Megalodon has been observed scraping AWS secret keys and Google Cloud access tokens, instance role credentials from AWS, GCP, and Azure, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and more.
Push to npm
At this point in the attack, the only people at risk are GitHub maintainers. However, if they move their repositories to npm, which many do, end users can also be compromised. SafeDep detailed how this scenario happened to Tiledesk officials:
“Versions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor. The same npm account, eljohnny (giovanni@tiledesk.com), released both the clean 2.18.5 and the compromised version. The attacker never touched the npm account. He compromised the GitHub repository and the maintainer released from the poisoned source without realize it.”
In its article, The Register states that TeamPCP, the threat actor now known for targeting GitHub and npm, recently launched a “supply chain attack competition” on the Breach forums, but emphasized that Megalodon was likely not part of that competition.
Instead, it appears to be an entirely separate threat actor, simply motivated by TeamPCP’s activities to launch its own malicious campaign.
The full list of compromised repositories can be found at this link.
Via The register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
