Hudson Rock revealed that the Megalodon supply chain attack originated from information sealer infections that enabled the theft of GitHub credentials, allowing the threat actor behind the campaign to push the malicious payload.
Specifically, more than 33% of the unique usernames associated with the affected repositories -- i.e., 331 out of 978 -- have been found to be "direct matches to computers infected by infostealers," the company said. Even in scenarios where there didn't exist an exact overlap based solely on usernames, the email addresses tied to the GitHub accounts have unearthed additional stealer compromises.
"This leads us to a definitive conclusion: The affected accounts enabling the Megalodon supply chain attack are exclusively sourced from infostealer data," Hudson Rock said. "The Megalodon campaign is a stark reminder that if developers and employees are infected with infostealers, platforms like GitHub become the launchpad for devastating cascading events."
While the campaign was catalyzed by the recently open-sourced Shai Hulud framework (thanks teampcp...), the access itself came from compromised credentials from accounts that should have been revoked.
By cross-referencing the usernames pushing the malware against Hudson Rock's database, we discovered that over 33% were exact matches to computers infected by infostealers. Upon deeper manual investigation, we realized that number is actually closer to 100%. (h/t OX Security & SafeDep)
Attackers are logging into these active accounts, exploiting GitHub Actions, and injecting payloads to drain AWS keys, GCP OAuth tokens, and SSH keys straight from CI/CD workflows.
While the campaign was catalyzed by the recently open-sourced Shai Hulud framework (thanks teampcp...), the access itself came from compromised credentials from accounts that should have been revoked.
By cross-referencing the usernames pushing the malware against Hudson Rock's database, we discovered that over 33% were exact matches to computers infected by infostealers. Upon deeper manual investigation, we realized that number is actually closer to 100%. (h/t OX Security & SafeDep)
Attackers are logging into these active accounts, exploiting GitHub Actions, and injecting payloads to drain AWS keys, GCP OAuth tokens, and SSH keys straight from CI/CD workflows.
Cybersecurity researchers disclosed they have detected a case of an information stealer infection successfully exfiltrating a victim's OpenClaw (formerly Clawdbot and Moltbot) configuration environment.
"This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said.
Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim’s OpenClaw configuration environment. This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the “souls” and identities of personal AI agents.
A compromised machine in Lebanon – most likely belonging to a person named قسورة (Qasura), a local ISIS cell commander – contained explosive synthesis manuals, jihadist propaganda, and locally stored XMPP chat logs that should have been encrypted. The chats reveal Qasura receiving direct instructions from Syria-based operatives, coordinating IED attacks that killed security personnel, requesting religious permission for torture, managing cross-border smuggling routes, handling money transfers through Turkey and Syria, and shipping detonator components across the region. Through this single compromised machine, we were able to map the entire cell hierarchy from local commander to senior leadership.
If Infostealer infections are happening in companies like Lockheed Martin, and even in the U.S Navy, we should conclude that the defense industry is also vulnerable to more sophisticated attacks.
In this new research, we examined the state of Infostealer infections in the most sensitive areas, and the results are concerning. Of the tens of millions of computers infected by Infostealers, a portion belong to individuals employed in sensitive companies.
We analyze the type of access hackers can gain from these infections and speculate on how they could exploit such access.
Specifically, more than 33% of the unique usernames associated with the affected repositories -- i.e., 331 out of 978 -- have been found to be "direct matches to computers infected by infostealers," the company said. Even in scenarios where there didn't exist an exact overlap based solely on usernames, the email addresses tied to the GitHub accounts have unearthed additional stealer compromises.
"This leads us to a definitive conclusion: The affected accounts enabling the Megalodon supply chain attack are exclusively sourced from infostealer data," Hudson Rock said. "The Megalodon campaign is a stark reminder that if developers and employees are infected with infostealers, platforms like GitHub become the launchpad for devastating cascading events."