CVE-2026-31976

Name of the Vulnerable Software and Affected Versions xygeni-action versions prior to v6.4.0

Description The xygeni-action GitHub Action was subject to a supply chain compromise through tag poisoning. An attacker gained access to compromised GitHub App credentials and used them to redirect the mutable v5 tag to a malicious commit. This allowed the execution of a command and control (C2) implant on CI runners for up to 180 seconds per workflow run. The malicious code registered the CI runner with a C2 server at 91.214.78.178 (via security-verify.91.214.78.178.nip.io), transmitted system information, and received and executed arbitrary shell commands via eval. The implant suppressed errors, skipped TLS certificate verification, and used randomized polling intervals to evade detection. The affected window was approximately March 3–10, 2026. The vulnerability was exploited through the use of pull requests (#46, #47, #48) injecting obfuscated shell code into the action.yml file. The malicious code was disguised as a "scanner version telemetry" step.

Recommendations Update workflows to pin to the verified safe commit SHA corresponding to v6.4.0:

uses: xygeni/xygeni-action@13c6ed2797df7d85749864e2cbcf09c893f43b23 # v6.4.0

Rotate all secrets that were available to the CI runner during the affected window. Audit CI logs for outbound connections to 91.214.78.178 or DNS lookups for security-verify.91.214.78.178.nip.io. Review recent releases and published artifacts for signs of tampering. As an alternative, install and run the Xygeni scanner directly via the CLI installation method.