xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning

The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, when attackers used stolen maintainer credentials to inject a C2 reverse shell backdoor. The attackers moved the mutable v5 tag to point to the malicious commit, affecting all repositories using @v5 without visible changes to workflow files. The v5 tag remained poisoned as of March 9, 2026. Users are advised to pin to v6.4.0 or specific commit SHA. StepSecurity's Harden-Runner could have detected and blocked the C2 callback to 91.214.78.178. This represents a sophisticated supply chain attack using tag poisoning techniques.