{
  "title": "simonecorsi/mawesome GitHub Action Tag Hijack",
  "summary": "Mutable refs for simonecorsi/mawesome including latest, v1, v2, and v2.2.0 currently resolve to a composite action that installs Bun and always runs an obfuscated JavaScript payload, exposing GitHub Actions runners that still trust those tags.",
  "date": "2026-06-25",
  "severity": "critical",
  "tags": [
    "supply-chain",
    "github-actions",
    "ci-cd",
    "credential-theft",
    "tag-hijack"
  ],
  "sources_count": 6,
  "indicators": {
    "slug": "simonecorsi-mawesome-tag-hijack",
    "since": "2026-06-25T00:00:00Z",
    "until": "2026-06-25T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [
      "e339407b8e34dc1540290d1d310bccafbc6028ca",
      "4a665037e0619e2181c7cccc3291d75104175a92",
      "6e26314c306ed5ea744eb90ebc6f3f70298abcb5",
      "7a59a7d02b1fdf6432ea9467b8e31357217288f7"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}