- SafeDep researchers uncovered Megalodon, a TeamPCP-inspired campaign that infected over 5,500 GitHub repositories with an infostealer targeting CI/CD secrets
- The worm-like attack spreads via malicious exploits from a fake “build-bot” that steals cloud keys, SSH credentials and DevOps configurations, with npm packages like Tiledesk inadvertently published from poisoned repositories
- Unlike TeamPCP’s forum “competition”, Megalodon appears to be a separate copycat actor motivated by recent supply chain attacks, posing risks to both maintainers and downstream users
It looks like we’ve got our first TeamPCP copycat, and it’s called Megalodon.
Late last week, security researchers reported to SafeDep that they found more than 5,500 GitHub repositories infected with an infostealer that captures all sorts of secrets from victim developers’ CI/CD pipeline.
In an in-depth report published on its blog, SafeDep explained that the attack starts with a submitted malicious commit. The threat actor, called “build-bot”, pretended to be a bot that submits automated commits. If these commits carrying the infostealer are accepted by the maintainer, they capture all possible secrets before propagating to other repos in classic worm fashion.
Among other things, Megalodon was observed to grab AWS secret keys and Google Cloud access tokens, instance role information from AWS, GCP, and Azure, SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and more.
Push to npm
At this stage of the attack, the only people at risk are GitHub maintainers. But if they push their repos to npm, which many do, end users can also be compromised. SafeDep detailed how this scenario happened to Tiledesk maintainers:
“Versions 2.18.6 (May 19) through 2.18.12 (May 21) all carry the backdoor. The same npm account, eljohnny ([email protected]), released both the clean 2.18.5 and the compromised version. The attacker never touched the npm account and they compromised the source from the source and they compromised the source. without realizing it.”
In its write-up, The Register says that TeamPCP, the threat actor now known to target GitHub and npm, recently started a “supply chain attack contest” on the Breach Forums, but stressed that Megalodon is unlikely to be part of that contest.
Instead, this appears to be an entirely separate threat actor that was simply motivated by TeamPCP’s activities to launch their own malicious campaign.
The full list of compromised repositories can be found at this link.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
