Xygeni GitHub Action Compromised Via Tag Poison

APPLICATION SECURITY DATA PRIVACY CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS Xygeni GitHub Action Compromised Via Tag Poison Attackers operated an active C2 implant for up to a week and compromised AppSec vendor Xygeni's xygeni/xygeni-action in that time. Alexander Culafi,Senior News Writer,Dark Reading March 11, 2026 4 Min Read SOURCE: PATTARA VIA ALAMY STOCK PHOTO An unidentified threat actor breached one of application security vendor Xygeni's GitHub Actions this month via tag poisoning. Xygeni, which sells a number of AI-powered AppSec products, said in a March 10 security incident report that it "detected suspicious activity affecting the repository used to publish the xygeni/xygeni-action GitHub Action."  The attacker used pull requests in an effort to introduce malicious code (a compact command-and-control implant) into the repository, though Xygeni said the attempts were blocked via existing branch detection rules. The threat actor then pivoted, exploiting "a separate vector by moving the mutable v5 tag to reference a malicious commit created during the pull request attempts."  "Workflows referencing xygeni/xygeni-action@v5 could therefore retrieve the compromised code without any visible change to their workflow definitions," Xygeni said in its disclosure. The attacker gained access via compromised credentials associated with a maintainer token and a GitHub app installed on the relevant repository.  Related:GlassWorm Malware Evolves to Hide in Dependencies Xygeni identified the follow-on activity on March 9 following community reports, and the tag was removed as part of ongoing incident response procedures. According to the vendor, no malicious code was merged into the repository's main branch, there is no evidence of compromise to Xygeni's platform or customer data, and the compromised tag has been permanently removed.  Xygeni Attack Root Cause and Remediation Xygeni's post was notably detailed, featuring a timeline of the attack as well as root cause analysis and remediation recommendations.  The company concluded the root cause of breach was the compromise of a GitHub App private key that had been installed on the repository and had unnecessarily broad permissions. The attacker used a maintainer's personal access token (PAT) in tandem with the GitHub App's credentials: one to create pull requests, the other to approve them (as neither could bypass repository protections on their own). Going forward, Xygeni committed to enforcing release immutability across repositories, hardening repository permissions and contributor access, making cryptographically signed commits mandatory for maintainers, and restricting write access to a limited set of maintainers and administrators.  The vendor said customers should update their workflows to pin to the safe commit SHA, audit CI logs, and rotate secrets exposed to CI runners during the compromise period.  Disagreement Over Attack Timelines Related:Real-Time Banking Trojan Strikes Brazil's Pix Users "The exact vector by which the private key was exfiltrated remains under investigation," the disclosure post read. "GitHub App private keys (.pem files) can leak through misconfigured workflows, compromised developer machines, or insecure secret storage." One of the first public indicators of a compromise came March 9 in a blog post from StepSecurity CEO and co-founder Varun Sharma.  "On March 3, 2026, an attacker with access to maintainer accounts and a GitHub App token injected a full command-and-control (C2) reverse shell into xygeni/xygeni-action, the official GitHub Action published by Xygeni," Sharma wrote. "The backdoor was disguised as a 'scanner version telemetry' step. Three pull requests carrying the malicious code were opened and closed without merging, but the attacker also moved the v5 shortcut tag to point at the backdoored commit. For 7 days (March 3–10), anyone referencing xygeni/xygeni-action@v5 in their workflows was running a C2 implant." The real attack, Sharma argued, was the v5 tag, which anyone with write access could use to point to any commit, as the attacker ultimately did. Although the Xygeni team acted quickly to close all three pull requests and delete all relevant workflows from the repository, Sharma said the initial March 9 fix still included the v5 tag. This was remediated March 10 after StepSecurity reported the issue. Related:Microsoft Patches 83 CVEs in March Update Sharma tells Dark Reading in an email that this was a case where Xygeni did not do a complete fix and should have.  "Closing the PRs and deleting workflows did nothing to stop the active compromise because the v5 tag was the entire delivery mechanism. … Closing PRs and deleting workflows from main had zero effect on what @v5 resolved to," Sharma says, adding that for seven days, the C2 implant was live. "Any workflow run using @v5 during March 3–10 gave the attacker a three-minute window of arbitrary command execution on that CI runner — access to GITHUB_TOKEN, repo secrets, and source code." Xygeni contests some aspects of StepSecurity's research, including some details surrounding when the v5 tag was poisoned.  "The researcher's report places the v5 tag move at approximately 10:49 UTC on March 3, immediately after the PRs were closed," Xygeni said in its incident report. "Our investigation could not confirm this timing — tag force-push events are not recorded in GitHub's repository activity log. What we know is that the tag was poisoned at some point after the malicious commit was created and before the community discovered it on March 9." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Infamous Shai-hulud Worm Resurfaces From the Depths by Alexander Culafi NOV 24, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE