codfish/semantic-release-action GitHub Action Tag Hijack
📰 Reddit r/cybersecurity
An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5. submitted by /u/halting_problems [link] </
DeepCamp AI