CVE-2026-31976
Received Received - Intake
Tag Poisoning in xygeni-action GitHub Action Enables Remote Code Execution

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it. This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31976
EUVD
EUVD-2026-11331
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xygeni xygeni-action From 5.38.0 (inc) to 6.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-31976 is a critical supply chain vulnerability affecting the GitHub Action package xygeni/xygeni-action, specifically the mutable v5 tag. An attacker with compromised GitHub App credentials created pull requests injecting obfuscated malicious shell code into the action.yml file. Although these pull requests were blocked and never merged, the attacker moved the v5 tag to point to a malicious commit containing this code. As a result, any workflow referencing xygeni/xygeni-action@v5 during the affected period (approximately March 3–10, 2026) would fetch and execute this malicious code.

The malicious code masquerades as a scanner telemetry step and registers the CI runner with a command-and-control (C2) server, sending system details. It then polls the C2 server for up to 180 seconds to receive and execute arbitrary shell commands, exfiltrating the results back to the attacker. The attack operates stealthily to evade detection.


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary commands on your continuous integration (CI) runners if your workflows reference the compromised v5 tag of xygeni/xygeni-action during the affected window. This can lead to unauthorized access, data exfiltration, and potential compromise of your build environment.

  • The attacker can register the CI runner with a remote command-and-control server.
  • The attacker can execute arbitrary shell commands on the CI runner for up to 180 seconds per workflow run.
  • Sensitive information such as system hostname, username, and OS version can be leaked.
  • The attacker can exfiltrate command output data back to their server.

Although the exposure window was short and primarily affected Xygeni-owned repositories, any user running workflows with the compromised tag was at risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves auditing CI logs for suspicious network activity and DNS lookups related to the malicious command-and-control (C2) server.'}, {'type': 'list_item', 'content': 'Check CI runner logs for outbound connections to IP 91.214.78.178.'}, {'type': 'list_item', 'content': 'Look for DNS queries to security-verify.91.214.78.178.nip.io.'}, {'type': 'list_item', 'content': 'Review recent workflow runs referencing xygeni/xygeni-action@v5 for unexpected command execution or errors.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious network activity might include:'}, {'type': 'list_item', 'content': "Using grep or similar tools to search CI logs: grep -r '91.214.78.178' /path/to/ci/logs"}, {'type': 'list_item', 'content': "Checking DNS query logs for the domain: grep -r 'security-verify.91.214.78.178.nip.io' /path/to/dns/logs"}, {'type': 'list_item', 'content': 'Monitoring network connections on CI runners during workflow execution: netstat -an | grep 91.214.78.178'}] [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include removing the compromised v5 tag and updating workflows to use a safe, patched version.

  • Remove the compromised v5 tag from the repository to prevent workflows from fetching the malicious commit.
  • Update all workflows to use the patched version v6.4.0 by pinning to the verified safe commit SHA (13c6ed2797df7d85749864e2cbcf09c893f43b23).
  • Expect workflows still referencing @v5 to fail due to the tag removal.
  • Rotate all secrets accessible to the CI runner, including repository secrets, environment secrets, deploy keys, and cloud tokens, especially if workflows ran with @v5 during the affected period.
  • Audit CI logs for signs of tampering or suspicious outbound connections.

As a workaround, consider bypassing the GitHub Action entirely by installing and running the Xygeni scanner via the CLI method, which is unaffected by this incident.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart