Xygeni GitHub Action Compromised Via Tag Poison
Summary
Application security vendor Xygeni disclosed a compromise of its GitHub Action (xygeni/xygeni-action) in March 2026. An attacker created malicious commits via pull requests, then used tag poisoning — moving the mutable v5 tag to point at a backdoored commit — so workflows referencing xygeni/xygeni-action@v5 could retrieve the compromised code without changes to their workflow files. Xygeni detected suspicious activity on 9 March and removed the poisoned tag on 10 March. No malicious code was merged into main and the vendor reports no evidence of platform or customer data compromise.
Key Points
- The attacker used pull requests to introduce a compact C2 implant and then pivoted to tag poisoning so workflows using the shortcut @v5 would execute the backdoor.
- Root cause: compromise of a GitHub App private key (with overly broad permissions) and a maintainer personal access token (PAT); the two credentials were used together to create and approve malicious PR activity.
- Xygeni detected the activity after community reporting; the poisoned v5 tag was removed as part of incident response.
- Vendor remediation commitments include enforcing release immutability, hardening repository permissions, requiring cryptographically signed commits, and restricting write access to a small set of maintainers and admins.
- Customer recommendations: pin Actions to a known-good commit SHA, audit CI logs for suspicious runs, and rotate any secrets exposed to CI runners during the compromise window.
- Disagreement remains on the exact timeline: StepSecurity reported the v5 tag was poisoned on 3 March and active for seven days; Xygeni confirms the tag was poisoned before discovery on 9 March but says GitHub logs do not show tag force-push events so precise timing is uncertain.
Context and relevance
This is a supply-chain incident that highlights how mutable tags and over-permissive GitHub App keys can be abused to push backdoors into CI workflows. Tag poisoning lets attackers serve malicious code without modifying a repository’s main branch or the workflow YAMLs consumers see, so any organisation that relies on public GitHub Actions or uses shortcut tags (like @v5) should re-evaluate their practices immediately.
Why should I read this?
Look, if you or your team use third-party GitHub Actions (and who doesn’t?), this is a wake-up call. Mutable tags can be weaponised; pin your actions, lock down app keys and PATs, and check your CI logs — we’ve done the reading so you don’t have to panic first and patch later.