Feed
CriticalPublished 24 Jun 20261 package · 14 versions

codfish/semantic-release-action — 16 tags retargeted to Miasma imposter commit

Summary

On 2026-06-24 at 15:39:06 UTC an attacker force-pushed two imposter commits to codfish/semantic-release-action and repointed 16 tags — including the floating majors v2, v3, v4, v5 — to them. Any workflow pinned by tag pulls 781,580 bytes of obfuscated JavaScript that searches GitHub commit-search for the thebeautifulsnadsoftime Miasma dead-drop channel and eval()s any signed payload, exfiltrating GITHUB_TOKEN and NPM_TOKEN from release workflows.

ci-cd-compromisemaintainer-takeovercredential-theftobfuscation
Detected by
Aikido Security
Also known as
Miasma tag hijack · codfish action hijack
Ecosystems
GitHub Actions
Packages tracked
1

What happened

On 2026-06-24 at 15:39:06 UTC an attacker with push access to codfish/semantic-release-action force-pushed two imposter commits to the repository and moved 16 git tags onto them. The first commit picked up 15 tags — v2.2.1, the entire v3 line (v3, v3.0.0 through v3.5.0), the entire v4 line (v4, v4.0.0, v4.0.1), and the entire v5 line (v5, v5.0.0). The second commit, a direct child of the first, took the v2 floating major tag. Aikido Security disclosed the compromise the same day.

Because GitHub Actions resolves tag references at workflow-run time, every consumer pinned by tag — codfish/semantic-release-action@v2, @v3, @v4, @v5, or any specific point release in the list above — pulls the attacker-controlled dist/index.js on its next run. Only workflows pinned to a known-clean full commit SHA are unaffected. The action has been the standard semantic-release wiring on GitHub Actions since 2019 and is referenced from thousands of public release workflows, almost all of which hold both a GITHUB_TOKEN and an NPM_TOKEN with publish access — exactly the credential blend an attacker wants from a release pipeline.

The injected dist/index.js is 781,580 bytes of obfuscated JavaScript. Embedded in the obfuscated body is the literal string thebeautifulsnadsoftime — a single-letter transposition of TheBeautifulSandsOfTime, one of the dead-drop channels exposed when the Miasma credential-stealer toolkit leaked publicly on 2026-06-10. Instead of beaconing to attacker infrastructure, the implant periodically queries GitHub's public commit-search API for that marker string, treats any matching commit body as a signed command, and runs it through eval(). This steganographic command channel means there is no outbound domain to block — defenders have to detect at the inbound (workflow-content) layer.

  • Imposter-commit pattern is identical to the 2026-05-19 actions-cool/issues-helper campaign, but the payload family is Miasma rather than the TeamPCP Bun stealer, suggesting reuse of the leaked Miasma kit by a separate operator.
  • GitHub flagged both commits with the "this commit does not belong to any branch" warning, indicating they were force-pushed via the API and never merged onto a branch.
  • As of disclosure the maintainer had not posted a clean SHA to revert to; consumers are advised to migrate to cycjimmy/semantic-release-action or call semantic-release directly until an official remediation lands.

Affected packages (1)

  • GitHub Actionscodfish/semantic-release-action
    v2v2.2.1v3v3.0.0v3.1.0v3.2.0v3.3.0v3.4.0v3.5.0v4v4.0.0v4.0.1v5v5.0.0

Impact

  • GITHUB_TOKEN, NPM_TOKEN, and any other secrets reachable from semantic-release workflows exfiltrated on the next run after 2026-06-24 15:39 UTC
  • Cross-repo write access: hijacked GITHUB_TOKEN permits pushes to the calling repo for the duration of the workflow, enabling secondary tag hijacks downstream
  • Tag-based pinning (@v1@v5, semver ranges) is fully bypassed — only full-SHA pins resist this attack class
  • C2 is steganographic: payload polls GitHub's public commit-search API for the thebeautifulsnadsoftime Miasma marker, so no outbound domain to block
  • Standard wiring since 2019 — action is referenced from thousands of public release workflows; npm publish-token compromise is the primary risk

What to do

  1. 1Stop using codfish/semantic-release-action immediately, OR pin to a verified-clean full commit SHA from before 2026-06-24 15:39 UTC (e.g. the v5.0.0 SHA prior to the force-push — verify the SHA against the maintainer's public statement before trusting)
  2. 2Treat every workflow run that consumed the action between 2026-06-24 15:39 UTC and your remediation as a credential-compromise event. Rotate NPM_TOKEN, GitHub PATs, and any other secret exposed to the workflow
  3. 3Audit the npm publish history of every package whose release workflow used this action since 2026-06-24 for unexpected versions; treat anything published from a compromised workflow as untrusted
  4. 4Grep your codebase for the literal string thebeautifulsnadsoftime in any dependency dist/; presence indicates a Miasma-family payload was downloaded
  5. 5Enforce SHA-pinning org-wide for third-party Actions (StepSecurity / dependabot.yml / OPA gate) — tag-pinning is fundamentally insecure against maintainer-account compromise
  6. 6Migrate to a maintained alternative (cycjimmy/semantic-release-action, or call npx semantic-release directly from your workflow) pending an official clean release from the codfish project

References

github-actions-2026-06-24-codfish-semantic-release-action-hijack