Xygeni GitHub Action Compromised Via Tag Poison

Source: Pattara via Alamy Stock Photo

An unidentified threat actor breached one of application security vendor Xygeni's GitHub Actions this month via tag poisoning.

Xygeni, which sells a number of AI-powered AppSec products, said in a March 10 security incident report that it "detected suspicious activity affecting the repository used to publish the xygeni/xygeni-action GitHub Action." 

The attacker used pull requests in an effort to introduce malicious code (a compact command-and-control implant) into the repository, though Xygeni said the attempts were blocked via existing branch detection rules. The threat actor then pivoted, exploiting "a separate vector by moving the mutable v5 tag to reference a malicious commit created during the pull request attempts." 

"Workflows referencing xygeni/xygeni-action@v5 could therefore retrieve the compromised code without any visible change to their workflow definitions," Xygeni said in its disclosure. The attacker gained access via compromised credentials associated with a maintainer token and a GitHub app installed on the relevant repository. 

Related:Microsoft Patches 83 CVEs in March Update

Xygeni identified the follow-on activity on March 9 following community reports, and the tag was removed as part of ongoing incident response procedures. According to the vendor, no malicious code was merged into the repository's main branch, there is no evidence of compromise to Xygeni's platform or customer data, and the compromised tag has been permanently removed. 

Xygeni Attack Root Cause and Remediation

Xygeni's post was notably detailed, featuring a timeline of the attack as well as root cause analysis and remediation recommendations. 

The company concluded the root cause of breach was the compromise of a GitHub App private key that had been installed on the repository and had unnecessarily broad permissions. The attacker used a maintainer's personal access token (PAT) in tandem with the GitHub App's credentials: one to create pull requests, the other to approve them (as neither could bypass repository protections on their own).

Going forward, Xygeni committed to enforcing release immutability across repositories, hardening repository permissions and contributor access, making cryptographically signed commits mandatory for maintainers, and restricting write access to a limited set of maintainers and administrators. 

The vendor said customers should update their workflows to pin to the safe commit SHA, audit CI logs, and rotate secrets exposed to CI runners during the compromise period. 

Disagreement Over Attack Timelines

Related:'Overly Permissive' Salesforce Cloud Configs in the Crosshairs

"The exact vector by which the private key was exfiltrated remains under investigation," the disclosure post read. "GitHub App private keys (.pem files) can leak through misconfigured workflows, compromised developer machines, or insecure secret storage."

One of the first public indicators of a compromise came March 9 in a blog post from StepSecurity CEO and co-founder Varun Sharma. 

"On March 3, 2026, an attacker with access to maintainer accounts and a GitHub App token injected a full command-and-control (C2) reverse shell into xygeni/xygeni-action, the official GitHub Action published by Xygeni," Sharma wrote. "The backdoor was disguised as a 'scanner version telemetry' step. Three pull requests carrying the malicious code were opened and closed without merging, but the attacker also moved the v5 shortcut tag to point at the backdoored commit. For 7 days (March 3–10), anyone referencing xygeni/xygeni-action@v5 in their workflows was running a C2 implant."

The real attack, Sharma argued, was the v5 tag, which anyone with write access could use to point to any commit, as the attacker ultimately did. Although the Xygeni team acted quickly to close all three pull requests and delete all relevant workflows from the repository, Sharma said the initial March 9 fix still included the v5 tag. This was remediated March 10 after StepSecurity reported the issue.

Related:Are We Ready for Auto Remediation With Agentic AI?

Sharma tells Dark Reading in an email that this was a case where Xygeni did not do a complete fix and should have. 

"Closing the PRs and deleting workflows did nothing to stop the active compromise because the v5 tag was the entire delivery mechanism. … Closing PRs and deleting workflows from main had zero effect on what @v5 resolved to," Sharma says, adding that for seven days, the C2 implant was live. "Any workflow run using @v5 during March 3–10 gave the attacker a three-minute window of arbitrary command execution on that CI runner — access to GITHUB_TOKEN, repo secrets, and source code."

Xygeni contests some aspects of StepSecurity's research, including some details surrounding when the v5 tag was poisoned. 

"The researcher's report places the v5 tag move at approximately 10:49 UTC on March 3, immediately after the PRs were closed," Xygeni said in its incident report. "Our investigation could not confirm this timing — tag force-push events are not recorded in GitHub's repository activity log. What we know is that the tag was poisoned at some point after the malicious commit was created and before the community discovered it on March 9."