Xygeni Action Tag Poisoning Vulnerability Leading to Supply Chain Compromise

A supply chain vulnerability has been identified in the Xygeni Action for GitHub. On March 3, 2026, an attacker used compromised credentials to inject obfuscated shell code into the action's configuration file via pull requests. Although these pull requests were not merged, the attacker manipulated the v5 tag to point to a malicious commit. As a result, any workflow using the v5 tag executed the injected code, which established a command-and-control connection and allowed arbitrary command execution on the CI runner for up to 180 seconds per workflow.

Impact

This vulnerability represents a critical supply chain compromise through tag poisoning, allowing unauthorized command execution on CI runners.

Remediation

Users should update their workflows to use the Xygeni Action version 6.4.0 or later. If workflows were run with the v5 tag during the affected period, it's recommended to rotate all CI secrets and audit CI logs for any connections to the attacker's server.