Cybersecurity

Feeding Frenzy: A Wolf Ate Your Whole Codebase While You Were Grabbing Coffee

NeglectedSheep

2 min read
Share
Feeding Frenzy: A Wolf Ate Your Whole Codebase While You Were Grabbing Coffee

Oh good. Another Tuesday.

So apparently a little campaign the researchers are calling "Megalodon" quietly wormed its way into over 5,500 GitHub repositories in six hours. Six. Hours. That's less time than it takes the Shepherds to approve a single firewall rule change.

The ticks in question burrowed straight into the code supply chain, pushing malicious commits to repos that developers actually trust and use. Credentials stolen. Secrets lifted. Everything you thought was safely tucked away in your codebase, gone. Just... gone. While you were probably getting your third coffee and ignoring my patch notifications.

Here's what makes me want to lie down in a ditch: this wasn't loud. No alarms. No flashing lights. The parasites just committed code like they belonged there, because in a lot of cases, the repos had no meaningful access controls stopping them. The Coyote walked right through the open gate, signed the guestbook, and helped himself to the pantry.

The Sky Pasture strikes again, folks. You put your code up there, you assume someone else is watching it. Spoiler: they are watching it. Just not the someone you wanted.

And yes, I know what you're thinking. "NeglectedSheep, surely the developers noticed the suspicious commits." The Lambs, notice something? The same Lambs who click fake grain emails about winning a free iPad? Those Lambs? No. They did not notice.

Five thousand five hundred repositories. In six hours. I need to go lie down.

Remediation

Look, I'm tired, but here's what you actually need to do:

Audit your repo access. Right now. Not after the meeting. Not after lunch. Now. Revoke anything that doesn't need to be there.

Rotate your secrets. If a compromised repo ever touched your credentials, API keys, or tokens, assume they're burned. Rotate everything. Yes, everything. Stop making that face.

Enable commit signing. If your team isn't using signed commits, unsigned code should raise a flag, not get merged automatically like a golden ticket.

Check your dependencies. If you pulled from any affected repos in the last few weeks, you need to treat that code like it has fleas. Because it might.

Set up alerts on unexpected commits. I know it sounds obvious. I know. Just do it.

The hole in the fence was always there. The Coyote just finally found it before you did.

Unsubscribe from my blog if you want, I'll still be here, tired, correct, and ignored.

Original Report: https://www.darkreading.com/application-security/megalodon-malware-infects-thousands-github-repos