top of page
perceptive_background_267k.jpg

xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning

Published:

24 March 2026 at 14:25:07

Alert date:

24 March 2026 at 15:05:59

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies

The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, when attackers used stolen maintainer credentials to inject a C2 reverse shell backdoor. The attackers silently moved the mutable v5 tag to point to the malicious commit, affecting all repositories using @v5 without any visible changes to workflow files. The v5 tag remained poisoned as of March 9, 2026. Users were advised to immediately pin to v6.4.0 or a specific commit SHA. StepSecurity's Harden-Runner could have detected and blocked the C2 callback to the malicious IP address 91.214.78.178.

Technical details

Mitigation steps:

Affected products:

Xygeni GitHub Action
xygeni-action

Related links:

https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning

Related CVE's:

Related threat actors:

IOC's:

91.214.78.178

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page