ANAVEM
FR
Reference
Dark server room with red warning lights and code displays
HighCyber Attacks

Xygeni GitHub Action Compromised in Supply Chain Attack

Attackers compromised AppSec vendor Xygeni's GitHub Action through tag poisoning, operating a command-and-control implant for up to one week.

Emanuel DE ALMEIDA 11 Mar 2026, 21:22 2 min read 5 views 0 Comments

Last updated 12 Mar 2026, 01:57

Key Takeaways

  • Threat: Supply chain attack via compromised GitHub Action
  • Impact: Active C2 implant operated for up to one week
  • Target: Xygeni's xygeni/xygeni-action repository
  • Method: Tag poisoning technique

Xygeni GitHub Action Targeted in Tag Poisoning Attack

Attackers successfully compromised the xygeni/xygeni-action GitHub repository belonging to application security vendor Xygeni. The breach involved tag poisoning, a technique where malicious actors manipulate version tags to distribute compromised code through what appears to be legitimate software updates.

The attack allowed threat actors to establish and maintain an active command-and-control implant within the compromised action. This C2 infrastructure remained operational for up to seven days before detection.

Supply Chain Impact on Development Workflows

The compromise directly affects organizations and developers who integrated Xygeni's GitHub Action into their CI/CD pipelines. Any workflows that pulled the poisoned tags during the active compromise period potentially executed malicious code within their development environments.

The attack represents a significant supply chain security incident, as GitHub Actions are commonly used across enterprise development workflows for automated security scanning and compliance checks.

Tag Poisoning Enables Persistent Access

The attackers leveraged tag poisoning to maintain persistence within the legitimate software distribution channel. This technique exploits the trust developers place in version tags, allowing malicious code to be distributed through what appears to be routine software updates.

The week-long operation of the C2 implant indicates the attackers had sustained access to execute commands and potentially exfiltrate data from affected development environments. Organizations using the compromised action should audit their CI/CD logs for the affected timeframe.

Frequently Asked Questions

What is tag poisoning in GitHub Actions?
Tag poisoning is an attack technique where malicious actors manipulate version tags in repositories to distribute compromised code through legitimate software update channels.
How long was the Xygeni GitHub Action compromised?
The attackers operated an active command-and-control implant within the compromised Xygeni GitHub Action for up to one week before detection.
Which organizations are affected by the Xygeni compromise?
Any organizations or developers who used Xygeni's xygeni/xygeni-action in their CI/CD pipelines during the compromise period are potentially affected by this supply chain attack.
#supply-chain#github-action#tag-poisoning

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related Tutorials

Learn more about this topic with our step-by-step guides

IT administrator configuring time zone settings in Microsoft Intune admin center
Intermediate
Cloud Computing

How to Configure Time Zone Settings for Windows Devices Using Microsoft Intune

Deploy consistent time zone configurations across Windows devices in your organization using Microsoft Intune's Settings Catalog. Create profiles, target device groups, and ensure synchronized time settings.

8 steps
IT administrator configuring Windows LAPS with Microsoft Intune on multiple monitors
Intermediate
Cybersecurity

How to Set Up Windows LAPS with Microsoft Intune for Enhanced Security

Configure Windows Local Administrator Password Solution (LAPS) with Microsoft Intune to automatically manage and secure local administrator passwords across Windows devices in your organization.

6 steps
Cybersecurity operations center with endpoint security monitoring dashboards and threat detection interfaces
Advanced
Cybersecurity

How to Implement EDR Hardening Against Malware Killers in 2026

Configure advanced tamper protection, process isolation, and behavioral monitoring in Microsoft Defender for Endpoint and CrowdStrike Falcon to prevent malware like BlackSanta from disabling your security tools.

8 steps
All Tutorials

Related Intelligence

Corrupted ZIP files with malicious code emerging on computer screen
Medium
Malware

Zombie ZIP: How Malformed Archives Let Malware Slip Past Antivirus and EDR Tools

Mar 10, 09:05 PM5 min
Cybersecurity operations center monitoring critical vulnerability alerts and patch management systems
High
Vulnerabilities

CISA Orders Federal Agencies to Patch n8n RCE Flaw

Mar 11, 07:21 PM2 min
Developer workspace with suspicious command prompt on screen showing potential malware threat
Medium
Cyber Attacks

ClickFix Malware Campaign Targets AI Coding Assistants

Mar 9, 09:42 PM2 min
Healthcare workers managing patient care during ransomware attack disruption
High
Cyber Attacks

INC Ransomware Targets Healthcare Systems Across Oceania

Mar 11, 11:00 PM2 min