FixVibe
Covered by FixVibehigh

Compromised GitHub Action codfish/semantic-release-action Steals CI/CD Secrets

Compromised codfish/semantic-release-action refs can put release workflows and CI/CD secrets at risk. FixVibe now flags affected workflow YAML as source/config evidence without executing Actions or reading secrets.

CWE-506

Public incident reports describe a June 2026 compromise of codfish/semantic-release-action, a GitHub Action used for release automation [S1][S2]. Affected Action refs could execute untrusted code inside CI/CD jobs, where release tokens, package-registry credentials, cloud deploy credentials, signing material, or GitHub workflow tokens may be available [S1][S2].

The risk for a specific repository depends on whether its workflow referenced an affected Action ref, whether a job ran after the compromise, and what credentials or permissions that job had. A workflow reference is therefore evidence that deserves immediate cleanup and incident-response review, not proof by itself that credentials were stolen.

Covered by FixVibe

FixVibe GitHub repo scans now flag workflow YAML that references codfish/semantic-release-action refs associated with the June 2026 compromise. Findings report the workflow file, line, and Action reference as source/config evidence so teams can remove the Action and review affected release jobs.

FixVibe does not run GitHub Actions, execute the compromised Action, fetch malware payloads, read CI secrets, inspect runners, or prove that any workflow ran after the compromise window. If affected workflows did run, rotate long-lived secrets available to those jobs and audit releases, packages, commits, and workflow edits.

Remediation

To reduce risk from this incident:

  • Remove codfish/semantic-release-action from affected workflows or replace the release path with trusted automation [S1][S2].
  • Review GitHub Actions runs after the compromise window for workflows that used the affected Action reference [S2].
  • Rotate long-lived secrets exposed to affected jobs, including package-registry, deploy, cloud, signing, and personal-access tokens where applicable [S1][S2].
  • Pin remaining third-party Actions to reviewed commit SHAs, narrow workflow permissions, and keep release secrets scoped to the minimum jobs that need them.
  • Rerun the FixVibe GitHub repo scan to confirm the compromised Action reference is gone.
Compromised GitHub Action codfish/semantic-release-action Steals CI/CD Secrets β€” FixVibe research Β· FixVibe