{
  "title": "codfish/semantic-release-action GitHub Action Tag Hijack",
  "summary": "An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5.",
  "date": "2026-06-24",
  "severity": "critical",
  "tags": [
    "supply-chain",
    "github-actions",
    "ci-cd",
    "credential-theft",
    "tag-hijack"
  ],
  "sources_count": 5,
  "indicators": {
    "slug": "codfish-semantic-release-action-tag-hijack",
    "since": "2026-06-24T15:39:06Z",
    "until": "2026-06-24T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [
      "Runner.Worker"
    ],
    "urls": [],
    "ips": [],
    "hashes": [
      "5792aba0e2180b9b80b77644370a6889d5817456",
      "8f9a58f2acdc190c356f79159b5de2548cdb63cd"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}