Xygeni GitHub Action Targeted in Tag Poisoning Attack
Attackers successfully compromised the xygeni/xygeni-action GitHub repository belonging to application security vendor Xygeni. The breach involved tag poisoning, a technique where malicious actors manipulate version tags to distribute compromised code through what appears to be legitimate software updates.
The attack allowed threat actors to establish and maintain an active command-and-control implant within the compromised action. This C2 infrastructure remained operational for up to seven days before detection.
Supply Chain Impact on Development Workflows
The compromise directly affects organizations and developers who integrated Xygeni's GitHub Action into their CI/CD pipelines. Any workflows that pulled the poisoned tags during the active compromise period potentially executed malicious code within their development environments.
The attack represents a significant supply chain security incident, as GitHub Actions are commonly used across enterprise development workflows for automated security scanning and compliance checks.
Related: North Korean Hackers Use Fake Next.js Repos in Job Scams
Related: Salesforce Mass-Scanning Attack: Hackers Exploit
Related: Stryker Hit by Iranian Wiper Malware Attack
Related: Ericsson US Hit by Data Breach Through Service Provider
Related: PhantomRaven Campaign Hits npm with 88 Malicious Packages
Tag Poisoning Enables Persistent Access
The attackers leveraged tag poisoning to maintain persistence within the legitimate software distribution channel. This technique exploits the trust developers place in version tags, allowing malicious code to be distributed through what appears to be routine software updates.
The week-long operation of the C2 implant indicates the attackers had sustained access to execute commands and potentially exfiltrate data from affected development environments. Organizations using the compromised action should audit their CI/CD logs for the affected timeframe.
