Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets

June 24, 2026

An alarming supply chain attack has targeted cloud development pipelines through the compromise of the popular GitHub Action codfish/semantic-release-action. Threat actors managed to hijack the repository and maliciously repointed existing mutable release tags ranging from v2 to v5. The updated tags point to a dangerous payload known as "Miasma," which actively scans runtime environments to extract high-value CI/CD secrets, cloud deployment credentials, and API access tokens. Because many engineering groups automatically pull these version tags during automated builds, the malware executes with the full permissions of the running pipeline, resulting in widespread cloud infrastructure exposure.Fixing this security breach requires teams to immediately scour all GitHub workflow configuration files (.github/workflows) and replace mutable version tags with immutable, verified Git commit SHAs for all third-party actions. Simultaneously, any secrets, private keys, or deployment tokens exposed to automated workflows using the compromised action must be assumed breached and rotated immediately.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?