Xygeni's official GitHub Action carried a live C2 backdoor for seven days. The compromised xygeni/xygeni-action, used in more than 137 repositories, ran the implant on every CI/CD workflow that referenced the @v5 tag between March 3 and March 10, 2026. StepSecurity CEO Varun Sharma first disclosed the compromise publicly on March 9.
An attacker gained access to a maintainer account and a GitHub App token. On March 3, three pull requests (#46, #47, #48) landed in rapid succession, all carrying obfuscated shell code injected into action.yml. Branch protection rules blocked the PRs from merging into main. None were merged.
Related: CVE roundup March 9. UltraVNC DLL hijack, Tiandy surveillance flaws, and a flood of PHP noise
Branch protection rules blocked all three from merging. None reached main. But the real attack bypassed the PRs entirely.
Compromised credentials let the attacker force-move the mutable v5 tag. It now pointed at commit 4bf1d4e from one of the unmerged PRs. That commit stayed in Git's object store. Any workflow referencing xygeni/xygeni-action@v5 fetched and executed it.
Closing the PRs and deleting workflows did nothing to stop the active compromise because the v5 tag was the entire delivery mechanism. Closing PRs and deleting workflows from main had zero effect on what @v5 resolved to.
— Varun Sharma, CEO and co-founder of StepSecurity
The payload posed as a "scanner version telemetry" step. It registered the CI runner with a C2 server at 91.214.78.178 (using the domain security-verify.91.214.78.178.nip.io), transmitting the hostname, username, and OS version. The implant then polled the C2 server every two to seven seconds for 180 seconds, receiving and executing arbitrary shell commands via eval.
Each compromised workflow run gave the attacker a three-minute window. During that window, the attacker could access GITHUB_TOKEN, repository secrets, and source code on the CI runner.
Any workflow run using @v5 during March 3-10 gave the attacker a three-minute window of arbitrary command execution on that CI runner, access to GITHUB_TOKEN, repo secrets, and source code.
— Sharma said
Xygeni contests some details in StepSecurity's timeline. In its own incident report (published as GitHub advisory GHSA-f8q5-h5qh-33mh), Xygeni said its investigation "could not confirm this timing" for when the v5 tag was moved, noting that tag force-push events are not recorded in GitHub's repository activity log. Xygeni confirmed the compromise itself and has removed the poisoned v5 tag.
Tag poisoning powered the tj-actions/changed-files attack in March 2025. That incident (CVE-2025-30066) affected up to 23,000 GitHub repositories and led to a CISA advisory. Attackers force-retagged version references to point at malicious commits. Earlier in 2025, the reviewdog/action-setup action fell to the same technique. GitHub Actions tags are mutable references that anyone with write access can move to any commit.
The GitHub advisory rates the Xygeni incident as critical severity but notes several mitigating factors. The v5 tag was primarily referenced by Xygeni-owned and Xygeni-affiliated repositories. No external public repositories were confirmed using the compromised tag, though private repository usage cannot be ruled out. No confirmed exploitation of downstream users has been established.
Anyone who used xygeni/xygeni-action@v5 between March 3 and 10 should act now. Audit CI/CD logs for connections to 91.214.78.178 and rotate any secrets accessible to the workflow runner during that window. Xygeni recommends pinning to the verified safe commit SHA for v6.4.0 (13c6ed2) or using its CLI scanner directly, which bypasses the GitHub Action entirely.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
