ON June 24, 2026, the codfish/semantic-release-action GitHub repository was compromised when an attacker force-pushed a malicious commit (ID: 6b9501e) and redirected seven version tags to this commit. This led to workflows using those tags executing the attacker's code, which is designed to steal GitHub OIDC tokens, Personal Access Tokens, and propagate a backdoor to other repositories.
The attacker modified the action from a Docker-based runner to a composite action to facilitate the injection of their malicious payload. To protect customers, StepSecurity has implemented a Compromised Actions Policy and detection mechanisms to block affected workflows before execution. The blog post emphasizes the ongoing analysis and future updates regarding the attack's details.