THE official Xygeni GitHub Action (xygeni-action) was compromised on 3 March 2026 when an attacker using stolen maintainer credentials injected a full C2 reverse shell backdoor and moved the mutable v5 tag to the malicious commit. The backdoor was hidden in the action as a “scanner version telemetry” step, and the attacker also moved the v5 tag to point at the backdoored commit 4bf1d4e, affecting all repositories referencing @v5 without any visible change to their workflow files.
The C2 implant beaconed to 91.214.78[.]178 and could be triggered by referencing yxygeni-action@v5, with the current state showing v5 compromised and pinning advised to v6.4.0 or a specific commit SHA. The payload registers with the C2 server, polls for commands for about three minutes, and executes received commands via eval while skipping TLS verification and using an authentication header. By March 9, 2026, v6.4.0 was released with checksum verification, but the v5 tag remained poisoned, continuing to point to the backdoored commit.