codfish/semantic-release-action GitHub Action Tag Hijack

📰 Reddit r/cybersecurity

An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5. submitted by /u/halting_problems [link] </

Published 25 Jun 2026
Read full article → ← Back to Reads