2026-05-265 mincritical

Researcher's Notebook: Hunting Megalodon Fossils

A supply chain attack dubbed 'megalodon' compromises GitHub Action YAML configurations by injecting base64-encoded malicious scripts to exfiltrate repository data. Analysis of the C2 infrastructure, identified as the NEXUS Listener framework, links this activity to a prior campaign that exploited CVE-2026-41940 in cPanel servers to deploy cryptominers and steal high-value cloud credentials.

Sens:■ ImmediateConf:highAnalyzed:2026-05-26Google

Authors: Robert Simmons

ActorsMegalodonNEXUS Listener

GitHub Actions Supply Chain cPanel NEXUS Listener Megalodon

Source:Reversinglabs

IOCs · 12

cve
CVE-2026-41940
ip
144[.]172[.]102[.]88Related campaign infrastructure IP
ip
144[.]172[.]112[.]136Related campaign infrastructure IP
ip
144[.]172[.]116[.]48Historical C2 server for credential theft and cryptomining campaign
ip
144[.]172[.]117[.]112Related campaign infrastructure IP
ip
172[.]86[.]127[.]128Related campaign infrastructure IP
ip
216[.]126[.]225[.]129Megalodon C2 server hosting NEXUS Listener framework
url
hxxp://144[.]172[.]116[.]48:8080/?h=buffalo&l=tokens&id=a49fd31b-bab5-45bb-a4ea-5b233ef5a3db1777797762271Historical C2 URL from related campaign
url
hxxp://144[.]172[.]116[.]48:8080/?h=cp2[.]hostable[.]com&l=found&id=94f7511e-08d6-421e-bdc1-d420f4c93d331777695161953Historical C2 URL from related campaign
url
hxxp://144[.]172[.]116[.]48:8080/?h=MacBook&id=5BFF69DC-85FD-49E1-9E93-46A77A0A9B331777797917858&l=infoHistorical C2 URL from related campaign
url
hxxp://216[.]126[.]225[.]129:8443?h=megalodon&l=gh_dump&id=4ny72dgixww6Megalodon C2 exfiltration URL used in malicious GitHub Actions
url
hxxps://gist[.]github[.]com/saladin0x1/8c3ca60e8d0ef154b81004934bf48559Entry point script payload from related cPanel campaign hosted on GitHub Gist

Detection / HunterGoogle

What Happened

Attackers are compromising GitHub repositories by secretly adding malicious code to their automated workflow files. This code steals sensitive data from the repositories and sends it to an attacker-controlled server. Researchers discovered that the same attackers previously hacked web hosting servers using a known vulnerability to install cryptocurrency miners and steal cloud passwords. This highlights the danger of supply chain attacks where trusted automated systems are turned against their owners. Organizations should secure their automated pipelines and ensure their web hosting software is fully patched.

Key Takeaways

The 'megalodon' campaign compromises GitHub Action YAML files with base64-encoded malicious scripts to exfiltrate repository data.
The campaign utilizes the NEXUS Listener C2 framework, hosted on RouterHosting LLC infrastructure.
Historical C2 telemetry links this activity to an earlier credential theft and cryptomining campaign targeting cPanel servers.
The earlier campaign exploited CVE-2026-41940 (cPanel CRLF injection) to gain root access and deploy an XMR miner via Docker.

Affected Systems

GitHub Actions CI/CD pipelines
cPanel/WHM servers
Docker environments

Vulnerabilities (CVEs)

CVE-2026-41940

Attack Chain

The attack begins with the compromise of GitHub Action YAML configuration files, where attackers inject a base64-encoded malicious script. When the CI/CD pipeline runs, the script decodes and executes, exfiltrating repository data to a NEXUS Listener C2 server. In a related campaign, attackers exploit CVE-2026-41940 in cPanel servers to gain root access, create a backdoor user named 'pakchoi', and deploy an XMR miner via a malicious Docker container. The attackers also stage bash scripts to fingerprint the environment and steal cloud credentials, which are then shipped to the C2 infrastructure.

Detection Availability

YARA Rules: Yes
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No
Platforms: ReversingLabs

A YARA rule is provided in the article to detect the NEXUS Listener C2 response content based on specific hexadecimal strings.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the creation of the backdoor user 'pakchoi' and the execution of the XMR miner, but visibility into GitHub Actions CI/CD pipeline execution requires specific integrations. Network Visibility: High — The C2 communication uses cleartext HTTP parameters (e.g., ?h=megalodon&l=gh_dump) which are highly visible in network traffic. Detection Difficulty: Moderate — While the network IOCs and backdoor user are easy to spot, detecting malicious modifications to CI/CD pipelines requires baseline monitoring of repository configurations.

Required Log Sources

CI/CD Pipeline Logs
Web Application Firewall (WAF) Logs
Linux Audit Logs
Docker Daemon Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected base64-encoded strings within GitHub Actions YAML files, specifically in 'run' steps.	CI/CD Pipeline Logs	Execution	Medium
If you have visibility into Linux user creation, consider hunting for the creation of a user named 'pakchoi' with GID 0.	Linux Audit Logs	Persistence	Low
Consider hunting for HTTP POST requests containing the URI parameters '?h=' and '&l=' and '&id=' indicative of NEXUS Listener C2 communication.	Web Proxy / WAF Logs	Command and Control	Low

Control Gaps

Lack of integrity monitoring for CI/CD pipeline configurations
Unpatched public-facing cPanel servers

Key Behavioral Indicators

Creation of user 'pakchoi'
Unexpected Docker container execution for mining
Base64 encoded payloads in CI/CD YAML

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider reviewing GitHub Actions YAML files for unauthorized modifications, particularly base64-encoded scripts.
If applicable, check cPanel/WHM servers for the presence of the 'pakchoi' user and remove it if found.
Consider blocking the identified C2 IP addresses and URLs at the network perimeter.

Infrastructure Hardening

Evaluate whether all cPanel/WHM servers are patched against CVE-2026-41940.
Consider implementing strict access controls and least privilege for CI/CD pipeline execution.
Consider monitoring and restricting outbound network connections from CI/CD runners to known-good infrastructure.

User Protection

Consider rotating any cloud credentials, SSH keys, or Git tokens that may have been exposed in compromised environments.

Security Awareness

Consider educating developers on the risks of supply chain attacks and the importance of reviewing CI/CD configuration changes.

MITRE ATT&CK Mapping

T1132.001 - Data Encoding: Standard Encoding
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1190 - Exploit Public-Facing Application
T1078.003 - Valid Accounts: Local Accounts
T1496 - Resource Hijacking
T1552.004 - Unsecured Credentials: Private Keys

Additional IOCs

Ips:
- 144[.]172[.]102[.]88 - Related campaign infrastructure IP
- 172[.]86[.]127[.]128 - Related campaign infrastructure IP
- 144[.]172[.]112[.]136 - Related campaign infrastructure IP
- 144[.]172[.]117[.]112 - Related campaign infrastructure IP
Urls:
- hxxp://144[.]172[.]116[.]48:8080/?h=cp2.hostable.com&l=found&id=94f7511e-08d6-421e-bdc1-d420f4c93d331777695161953 - Historical C2 URL from related campaign
- hxxp://144[.]172[.]116[.]48:8080/?h=MacBook&id=5BFF69DC-85FD-49E1-9E93-46A77A0A9B331777797917858&l=info - Historical C2 URL from related campaign
- hxxp://144[.]172[.]116[.]48:8080/?h=buffalo&l=tokens&id=a49fd31b-bab5-45bb-a4ea-5b233ef5a3db1777797762271 - Historical C2 URL from related campaign
Other:
- 4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL - Monero (XMR) wallet address used by the deployed cryptominer