The Mutable Tag Trap: Critical 9.4 CVSS Attack on Xygeni GitHub Action Exposes CI/CD Pipelines

In a sophisticated supply chain manipulation, the xygeni-action GitHub Action was recently targeted by a critical “tag poisoning” attack. On March 3, 2026, an attacker utilized compromised credentials to bypass standard branch protections, injecting a Command and Control (C2) backdoor into a version tag that many developers inherently trust.

The vulnerability, tracked as CVE-2026-31976, carries a CVSS score of 9.4, reflecting the extreme risk posed to CI/CD pipelines.

The attack began when a threat actor created several unmerged pull requests containing obfuscated shell code. While branch protection rules successfully blocked these PRs from the main branch, the attacker exploited compromised GitHub App credentials to perform a “tag poisoning” maneuver.

The report explains the technical loophole: the attacker moved “the mutable v5 tag to point at the malicious commit… from one of the unmerged PRs”. Because this commit remained in the git object store, “any workflow referencing @v5 would fetch and execute it” despite it never being officially merged.

Disguised as a harmless “scanner version telemetry” step, the malicious implant was designed for maximum stealth and persistence within the CI runner environment. Once triggered, the backdoor followed a three-step operational cycle:

• Registration: The CI runner registered with a C2 server, transmitting the hostname, username, and OS version.
• Execution: For 180 seconds, the implant polled the server every few seconds, “receiving and executing arbitrary shell commands via eval”.
• Exfiltration: Command outputs were compressed, base64-encoded, and sent back to the attacker.

To further evade detection, the implant used randomized polling intervals, skipped TLS verification, and suppressed all error messages.

The exposure window lasted approximately six days, from March 3 to March 10, 2026. While the impact is potentially devastating, the realized risk was somewhat contained. The report notes that “the v5 tag was primarily referenced by Xygeni-owned and Xygeni-affiliated repositories” and that no external public repositories have been confirmed as victims yet.

Xygeni has removed the compromised v5 tag, meaning any workflows still pointing to it will now fail with a “reference not found” error. To restore security, administrators must take immediate action:

1. Pin to a Safe Commit: Update workflows to use the verified commit SHA for v6.4.0: xygeni/xygeni-action@13c6ed2797df7d85749864e2cbcf09c893f43b23.
2. Rotate Secrets: “Rotate all secrets that were available to the CI runner” including cloud tokens, deploy keys, and repository secrets.
3. Audit and Review: Check CI logs for connections to the malicious IP 91.214.78.178 and inspect recent artifacts for signs of tampering.

For those looking to bypass the GitHub Action entirely, Xygeni recommends their direct CLI installation method, which remains unaffected by this incident.