Researcher's Notebook: Hunting Megalodon Fossils

The report documents the "megalodon" supply-chain campaign that compromised many GitHub Action CI configurations by adding a base64-encoded malicious script which contacts a NEXUS Listener C2 (examples: 216.126.225.129 and several 144.172.x.x addresses). Analysis links this activity to earlier credential-stealing and coin-mining campaigns, provides IOCs (C2 URLs and IPs), a YARA rule for detection, and retrohunt results demonstrating historical telemetry and campaign linkage.