step-security · Crawled Jul 5, 2026

codfish/semantic-release-action GitHub Action has been compromised

11 IoCs
Read original article ↗

AI Summary

On June 24, 2026, the codfish/semantic-release-action GitHub Action was compromised via a force-push to a malicious commit, which redirected multiple version tags to execute attacker-controlled code. The malicious payload steals GitHub OIDC and Personal Access Tokens, uses GitHub API commit messages as a C2 channel, and propagates by poisoning AI coding assistant configurations and publishing malicious packages to npm, PyPI, and RubyGems. It also performs lateral movement via SSH and evades detection by using legitimate GitHub infrastructure for exfiltration.

AI-extracted · verify before operational use

Indicators of Compromise 11 extracted

Type Value Detail
GitHub Repo codfish/semantic-release-action Details →
SHA-256 bd8035203526735490e4bd5cdcede581b9d3a3f7a5df7725859844d8dcc8eb49 Details →
Filename .claude/index.js Details →
Filename claude/settings.json Details →
Filename claude/setup.mjs Details →
Filename .vscode/tasks.json Details →
Filename .vscode/setup.mjs Details →
Domain api.anthropic.com Details →
GitHub User oven-sh Details →
GitHub Repo oven-sh/setup-bun Details →
Package oven-sh/setup-bun Details →