simonecorsi/mawesome GitHub Action Tag Hijack
ConfirmedDiscovered Jun 25, 2026
Mutable refs for simonecorsi/mawesome including latest, v1, v2, and v2.2.0 currently resolve to a composite action that installs Bun and always runs an obfuscated JavaScript payload, exposing GitHub Actions runners that still trust those tags.
4
Affected Packages
15
Observables
5
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 25, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| simonecorsi/mawesome | GitHub | latest | Malicious | 90% | Direct source |
| simonecorsi/mawesome | GitHub | v1 | Malicious | 90% | Direct source |
| simonecorsi/mawesome | GitHub | v2 | Malicious | 90% | Direct source |
| simonecorsi/mawesome | GitHub | v2.2.0 | Malicious | 90% | Direct source |
IOC Clipboard
15 IOCsurl
https://raw.githubusercontent.com/simonecorsi/mawesome/v1/action.ymlurl
https://raw.githubusercontent.com/simonecorsi/mawesome/main/action.ymlurl
https://raw.githubusercontent.com/simonecorsi/mawesome/v1/index.jshash
e339407b8e34dc1540290d1d310bccafbc6028cahash
4a665037e0619e2181c7cccc3291d75104175a92hash
6e26314c306ed5ea744eb90ebc6f3f70298abcb5hash
7a59a7d02b1fdf6432ea9467b8e31357217288f7file_path
action.ymlfile_path
index.jscommand
oven-sh/setup-buncommand
bun run $GITHUB_ACTION_PATH/index.jscommand
createCipherivcommand
createDecipherivcommand
pbkdf2Synccommand
VAULT_TOKENProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://api.github.com/repos/simonecorsi/mawesome/tags?per_page=100 |
| Direct source | direct | 95% | 1 | https://api.github.com/repos/simonecorsi/mawesome/commits/e339407b8e34dc1540290d1d310bccafbc6028ca |
| Direct source | direct | 95% | 1 | https://raw.githubusercontent.com/simonecorsi/mawesome/v1/action.yml |
| Direct source | direct | 95% | 1 | https://raw.githubusercontent.com/simonecorsi/mawesome/main/action.yml |
| Primary research | primary research | 95% | 1 | https://www.stepsecurity.io/blog/simonecorsi-mawesome-github-action-has-been-compromised |