step-security · Crawled Jul 5, 2026
codfish/semantic-release-action GitHub Action has been compromised
11 IoCs
Read original article ↗
AI Summary
On June 24, 2026, the codfish/semantic-release-action GitHub Action was compromised via a force-push to a malicious commit, which redirected multiple version tags to execute attacker-controlled code. The malicious payload steals GitHub OIDC and Personal Access Tokens, uses GitHub API commit messages as a C2 channel, and propagates by poisoning AI coding assistant configurations and publishing malicious packages to npm, PyPI, and RubyGems. It also performs lateral movement via SSH and evades detection by using legitimate GitHub infrastructure for exfiltration.
AI-extracted · verify before operational use
Indicators of Compromise 11 extracted
| Type | Value | Detail |
|---|---|---|
| GitHub Repo | codfish/semantic-release-action | Details → |
| SHA-256 | bd8035203526735490e4bd5cdcede581b9d3a3f7a5df7725859844d8dcc8eb49 | Details → |
| Filename | .claude/index.js | Details → |
| Filename | claude/settings.json | Details → |
| Filename | claude/setup.mjs | Details → |
| Filename | .vscode/tasks.json | Details → |
| Filename | .vscode/setup.mjs | Details → |
| Domain | api.anthropic.com | Details → |
| GitHub User | oven-sh | Details → |
| GitHub Repo | oven-sh/setup-bun | Details → |
| Package | oven-sh/setup-bun | Details → |