Public incident reports describe a June 2026 compromise of codfish/semantic-release-action, a GitHub Action used for release automation [S1][S2]. Affected Action refs could execute untrusted code inside CI/CD jobs, where release tokens, package-registry credentials, cloud deploy credentials, signing material, or GitHub workflow tokens may be available [S1][S2].
The risk for a specific repository depends on whether its workflow referenced an affected Action ref, whether a job ran after the compromise, and what credentials or permissions that job had. A workflow reference is therefore evidence that deserves immediate cleanup and incident-response review, not proof by itself that credentials were stolen.
Covered by FixVibe
FixVibe GitHub repo scans now flag workflow YAML that references codfish/semantic-release-action refs associated with the June 2026 compromise. Findings report the workflow file, line, and Action reference as source/config evidence so teams can remove the Action and review affected release jobs.
FixVibe does not run GitHub Actions, execute the compromised Action, fetch malware payloads, read CI secrets, inspect runners, or prove that any workflow ran after the compromise window. If affected workflows did run, rotate long-lived secrets available to those jobs and audit releases, packages, commits, and workflow edits.
Remediation
To reduce risk from this incident:
- Remove
codfish/semantic-release-actionfrom affected workflows or replace the release path with trusted automation [S1][S2]. - Review GitHub Actions runs after the compromise window for workflows that used the affected Action reference [S2].
- Rotate long-lived secrets exposed to affected jobs, including package-registry, deploy, cloud, signing, and personal-access tokens where applicable [S1][S2].
- Pin remaining third-party Actions to reviewed commit SHAs, narrow workflow permissions, and keep release secrets scoped to the minimum jobs that need them.
- Rerun the FixVibe GitHub repo scan to confirm the compromised Action reference is gone.
