UNIDENTIFIED threat actors breached Xygeni’s GitHub Actions repository this month by poisoning a tag and deploying a hidden command-and-control implant for up to seven days. Xygeni says the attacker used pull requests to inject malicious code into xygeni/xygeni-action, but the attempts were blocked by existing branch rules, after which the attacker moved the mutable v5 tag to reference the malicious commit.
Workflows calling xygeni/xygeni-action@v5 could retrieve the compromised code without visible changes to workflow definitions, the vendor said. Access was gained through compromised credentials linked to a maintainer token and a GitHub App installed on the repository, with the private key and broad permissions identified as root causes.
According to StepSecurity, the incident extended from March 3 to March 10, during which the C2 implant was live on affected workflows, though no malicious code was merged into the repository’s main branch and the compromised tag was removed. Xygeni is tightening release immutability, restricting write access, and urging customers to pin to a safe commit SHA and rotate secrets exposed to CI runners.