codfish/semantic-release-action — 16 tags retargeted to Miasma imposter commit
On 2026-06-24 at 15:39:06 UTC an attacker force-pushed two imposter commits to codfish/semantic-release-action and repointed 16 tags — including the floating majors v2, v3, v4, v5 — to them. Any workflow pinned by tag pulls 781,580 bytes of obfuscated JavaScript that searches GitHub commit-search for the thebeautifulsnadsoftime Miasma dead-drop channel and eval()s any signed payload, exfiltrating GITHUB_TOKEN and NPM_TOKEN from release workflows.
- Detected by
- Aikido Security
- Also known as
- Miasma tag hijack · codfish action hijack
- Ecosystems
- GitHub Actions
- Packages tracked
- 1
What happened
On 2026-06-24 at 15:39:06 UTC an attacker with push access to codfish/semantic-release-action force-pushed two imposter commits to the repository and moved 16 git tags onto them. The first commit picked up 15 tags — v2.2.1, the entire v3 line (v3, v3.0.0 through v3.5.0), the entire v4 line (v4, v4.0.0, v4.0.1), and the entire v5 line (v5, v5.0.0). The second commit, a direct child of the first, took the v2 floating major tag. Aikido Security disclosed the compromise the same day.
Because GitHub Actions resolves tag references at workflow-run time, every consumer pinned by tag — codfish/semantic-release-action@v2, @v3, @v4, @v5, or any specific point release in the list above — pulls the attacker-controlled dist/index.js on its next run. Only workflows pinned to a known-clean full commit SHA are unaffected. The action has been the standard semantic-release wiring on GitHub Actions since 2019 and is referenced from thousands of public release workflows, almost all of which hold both a GITHUB_TOKEN and an NPM_TOKEN with publish access — exactly the credential blend an attacker wants from a release pipeline.
The injected dist/index.js is 781,580 bytes of obfuscated JavaScript. Embedded in the obfuscated body is the literal string thebeautifulsnadsoftime — a single-letter transposition of TheBeautifulSandsOfTime, one of the dead-drop channels exposed when the Miasma credential-stealer toolkit leaked publicly on 2026-06-10. Instead of beaconing to attacker infrastructure, the implant periodically queries GitHub's public commit-search API for that marker string, treats any matching commit body as a signed command, and runs it through eval(). This steganographic command channel means there is no outbound domain to block — defenders have to detect at the inbound (workflow-content) layer.
- Imposter-commit pattern is identical to the 2026-05-19
actions-cool/issues-helpercampaign, but the payload family is Miasma rather than the TeamPCP Bun stealer, suggesting reuse of the leaked Miasma kit by a separate operator. - GitHub flagged both commits with the "this commit does not belong to any branch" warning, indicating they were force-pushed via the API and never merged onto a branch.
- As of disclosure the maintainer had not posted a clean SHA to revert to; consumers are advised to migrate to
cycjimmy/semantic-release-actionor callsemantic-releasedirectly until an official remediation lands.
Affected packages (1)
- GitHub Actions
codfish/semantic-release-actionv2v2.2.1v3v3.0.0v3.1.0v3.2.0v3.3.0v3.4.0v3.5.0v4v4.0.0v4.0.1v5v5.0.0
Impact
GITHUB_TOKEN,NPM_TOKEN, and any other secrets reachable from semantic-release workflows exfiltrated on the next run after 2026-06-24 15:39 UTC- Cross-repo write access: hijacked
GITHUB_TOKENpermits pushes to the calling repo for the duration of the workflow, enabling secondary tag hijacks downstream - Tag-based pinning (
@v1–@v5, semver ranges) is fully bypassed — only full-SHA pins resist this attack class - C2 is steganographic: payload polls GitHub's public commit-search API for the
thebeautifulsnadsoftimeMiasma marker, so no outbound domain to block - Standard wiring since 2019 — action is referenced from thousands of public release workflows; npm publish-token compromise is the primary risk
What to do
- 1Stop using
codfish/semantic-release-actionimmediately, OR pin to a verified-clean full commit SHA from before 2026-06-24 15:39 UTC (e.g. thev5.0.0SHA prior to the force-push — verify the SHA against the maintainer's public statement before trusting) - 2Treat every workflow run that consumed the action between 2026-06-24 15:39 UTC and your remediation as a credential-compromise event. Rotate
NPM_TOKEN, GitHub PATs, and any other secret exposed to the workflow - 3Audit the
npm publishhistory of every package whose release workflow used this action since 2026-06-24 for unexpected versions; treat anything published from a compromised workflow as untrusted - 4Grep your codebase for the literal string
thebeautifulsnadsoftimein any dependencydist/; presence indicates a Miasma-family payload was downloaded - 5Enforce SHA-pinning org-wide for third-party Actions (StepSecurity /
dependabot.yml/ OPA gate) — tag-pinning is fundamentally insecure against maintainer-account compromise - 6Migrate to a maintained alternative (
cycjimmy/semantic-release-action, or callnpx semantic-releasedirectly from your workflow) pending an official clean release from the codfish project