xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning

The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, when attackers used stolen maintainer credentials to inject a C2 reverse shell backdoor. The attackers silently moved the mutable v5 tag to point to the malicious commit, affecting all repositories using @v5 without any visible changes to workflow files. The v5 tag remained poisoned as of March 9, 2026. Users were advised to immediately pin to v6.4.0 or a specific commit SHA. StepSecurity's Harden-Runner could have detected and blocked the C2 callback to the malicious IP address 91.214.78.178.