Nick2Bad4U

**Name of the Vulnerable Software and Affected Versions** xygeni-action versions prior to v6.4.0 **Description** The xygeni-action GitHub Action was subject to a supply chain compromise through tag poisoning. An attacker gained access to compromised GitHub App credentials and used them to redirect the mutable `v5` tag to a malicious commit. This allowed the execution of a command and control (C2) implant on CI runners for up to 180 seconds per workflow run. The malicious code registered the CI runner with a C2 server at `91.214.78.178` (via `security-verify.91.214.78.178.nip.io`), transmitted system information, and received and executed arbitrary shell commands via `eval`. The implant suppressed errors, skipped TLS certificate verification, and used randomized polling intervals to evade detection. The affected window was approximately March 3–10, 2026. The vulnerability was exploited through the use of pull requests (#46, #47, #48) injecting obfuscated shell code into the `action.yml` file. The malicious code was disguised as a "scanner version telemetry" step. **Recommendations** Update workflows to pin to the verified safe commit SHA corresponding to v6.4.0: ```yaml uses: xygeni/xygeni-action@13c6ed2797df7d85749864e2cbcf09c893f43b23 # v6.4.0 ``` Rotate all secrets that were available to the CI runner during the affected window. Audit CI logs for outbound connections to `91.214.78.178` or DNS lookups for `security-verify.91.214.78.178.nip.io`. Review recent releases and published artifacts for signs of tampering. As an alternative, install and run the Xygeni scanner directly via the CLI installation method.