{
  "title": "Megalodon GitHub Actions Secret Exfiltration Campaign",
  "summary": "Megalodon added malicious GitHub Actions workflows to thousands of public repositories to collect environment variables, cloud credentials, source-control secrets, and runner tokens.",
  "date": "2026-05-24",
  "severity": "critical",
  "tags": [
    "supply-chain",
    "github-actions",
    "ci-cd",
    "credential-theft",
    "workflow-injection"
  ],
  "sources_count": 1,
  "indicators": {
    "slug": "megalodon-github-actions-secret-exfiltration",
    "since": "2026-05-24T00:00:00Z",
    "until": "2026-05-24T23:59:59Z",
    "ecosystem": "github actions github repositories",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      ".github/workflows/SysDiag.yml",
      ".github/workflows/Optimize-Build.yml"
    ],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [
      "https://216.126.225.129:8443/collect"
    ],
    "ips": [
      "216.126.225.129"
    ],
    "hashes": [
      "1c9e803c80cc7fed000022d4c94f4b5bc2e90062",
      "7f6120bb10c870b9fde146961a18e5bf0b3d4401",
      "acac5a9854650c4ae2883c4740bf87d34120c038"
    ],
    "processPatterns": [
      "workflow collects environment variables and credential files"
    ],
    "networkPatterns": [
      "HTTPS POST to 216.126.225.129:8443/collect"
    ],
    "telemetrySelectors": []
  }
}