Xygeni v5 tag pointed at C2 backdoor
Compromised Xygeni maintainer and GitHub App credentials moved the mutable v5 tag to a backdoored commit. Workflows pinned to xygeni-action@v5 received a C2 reverse shell.
Story
On 2026-03-03, an attacker used compromised Xygeni maintainer credentials and a GitHub App token to introduce the same malicious payload through three pull requests. The pull requests were closed, but the attacker moved the mutable v5 tag to the backdoored commit.
That tag move was the release. Any workflow using xygeni/xygeni-action@v5 resolved to commit 4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12, even though the workflow file did not change and the code was not merged to the main branch.
The payload was disguised as scanner telemetry in action.yml. It registered the runner with security-verify.91.214.78.178.nip.io, sent hostname, username, OS, and scanner version data, then polled for commands and executed them with eval, returning compressed base64 output.
Xygeni removed the compromised tag on 2026-03-10, rotated contributor tokens, enabled release immutability, added tag protection, and recommended pinning by full commit SHA. The incident is a clean example of why mutable GitHub Action tags are production release surfaces.
Affected Artifacts
- Observed
- 2026-03-03 to 2026-03-10
- Compromised Versions
- Fixed
- Not listed
Incident Context
- Motive
- Credential Theft Remote Access
- Cause
- Compromised Account Credentials
- Transitive
- No
External References
- xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoningstepsecurity.io
- Security Incident Report: xygeni-action GitHub Action Compromisexygeni.io
- Pull request 46 in xygeni/xygeni-actiongithub.com
- Pull request 47 in xygeni/xygeni-actiongithub.com
- Pull request 48 in xygeni/xygeni-actiongithub.com
- Security incident discussion in xygeni/xygeni-actiongithub.com
Source record: proprietary/xygeni-action/meta.yaml