codfish/semantic-release-action GitHub Action Tag Hijack

Confirmed
Discovered Jun 24, 2026

An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5.

10
Affected Packages
9
Observables
5
Sources

Timeline

1 of 1 rows

Timeline
DateEventDescriptionSource
Jun 24, 2026Fresh source reviewReviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data.Direct source

Affected Software

10 of 10 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
codfish/semantic-release-actionGitHubv5.0.0Malicious90%Direct source
codfish/semantic-release-actionGitHubv5Malicious90%Direct source
codfish/semantic-release-actionGitHubv4.0.1Malicious90%Direct source
codfish/semantic-release-actionGitHubv4.0.0Malicious90%Direct source
codfish/semantic-release-actionGitHubv4Malicious90%Direct source
codfish/semantic-release-actionGitHubv3.5.0Malicious90%Direct source
codfish/semantic-release-actionGitHubv3.4.1Malicious90%Direct source
codfish/semantic-release-actionGitHubv3.4.0Malicious90%Direct source
codfish/semantic-release-actionGitHubv3.3.0Malicious90%Direct source
codfish/semantic-release-actionGitHubv3.2.0Malicious90%Direct source

IOC Clipboard

9 IOCs
urlhttps://raw.githubusercontent.com/codfish/semantic-release-action/5792aba0e2180b9b80b77644370a6889d5817456/action.yml
urlhttps://raw.githubusercontent.com/codfish/semantic-release-action/8f9a58f2acdc190c356f79159b5de2548cdb63cd/action.yml
hash5792aba0e2180b9b80b77644370a6889d5817456
hash8f9a58f2acdc190c356f79159b5de2548cdb63cd
file_pathaction.yml
file_pathindex.js
commandoven-sh/setup-bun
commandbun run $GITHUB_ACTION_PATH/index.js
commandRunner.Worker memory access

Provenance & Sources

5 of 5 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
Direct sourcedirect95%1https://api.github.com/repos/codfish/semantic-release-action
Direct sourcedirect95%1https://api.github.com/repos/codfish/semantic-release-action/tags?per_page=100
Direct sourcedirect95%1https://raw.githubusercontent.com/codfish/semantic-release-action/5792aba0e2180b9b80b77644370a6889d5817456/action.yml
Direct sourcedirect95%1https://raw.githubusercontent.com/codfish/semantic-release-action/8f9a58f2acdc190c356f79159b5de2548cdb63cd/action.yml
Primary researchprimary research95%1https://www.stepsecurity.io/blog/supply-chain-compromise-codfish-semantic-release-action