This month, an unknown threat actor got into one of application security vendor Xygeni's GitHub Actions by poisoning a tag This article explores github action attacker. . In a security incident report from March 10, Xygeni, which sells a number of AI-powered AppSec products, said it "detected suspicious activity affecting the repository used to publish the xygeni/xygeni-action GitHub Action."
The attacker tried to add malicious code (a small command-and-control implant) to the repository using pull requests, but Xygeni said that existing branch detection rules stopped the attempts.
The threat actor then changed direction, using "a separate vector by moving the mutable v5 tag to reference a malicious commit created during the pull request attempts." Xygeni said in its disclosure, "Workflows that referenced xygeni/xygeni-action@v5 could therefore get the compromised code without any visible change to their workflow definitions." The attacker got in using stolen credentials linked to a maintainer token and a GitHub app that was already on the affected repository.
Related: Microsoft fixes 83 CVEs in March Update Xygeni found the follow-up activity on March 9 after reports from the community, and the tag was taken down as part of ongoing incident response procedures. Are we ready for auto-remediation with Agentic AI?
In an email to ZeroOwl, Sharma says that Xygeni didn't do a full fix in this case, but they should have. Sharma says, "Closing the PRs and deleting workflows did nothing to stop the active compromise because the v5 tag was the whole delivery mechanism." He adds that the C2 implant was live for seven days.
"Any workflow that used @v5 between March 3 and 10 gave the attacker a three-minute window to run any command on that CI runner. This included access to GITHUB_TOKEN, repo secrets, and source code." Xygeni disagrees with some parts of StepSecurity's research, such as when the v5 tag was poisoned.
