Compromised GitHub Actions Lead to CI/CD Secrets Theft

On June 24, 2026, the codfish/semantic-release-action GitHub Action was compromised through an imposter commit attack. An attacker force-pushed malicious commits that altered sixteen tags, allowing workflows to execute malicious code. This action, widely used for automated releases, often contains sensitive tokens like GITHUB_TOKEN and NPM_TOKEN, making it a prime target. The attack method involved retroactively changing tags to point to malicious commits, which went undetected during workflow execution. The malicious commits were crafted to mimic legitimate commits, obscuring their true nature. The incident highlights ongoing vulnerabilities in GitHub Actions, following previous incidents like the tj-actions compromise in March 2025. GitHub has since implemented security measures, but the risk remains significant. The codfish/semantic-release-action has over 100 stars, indicating its popularity and potential impact on numerous repositories.

Key Points: • The codfish/semantic-release-action was compromised via an imposter commit attack. • Attackers force-pushed malicious commits, altering sixteen tags to execute harmful code. • Workflows using the action may have exposed sensitive tokens like GITHUB_TOKEN and NPM_TOKEN.