Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

Codfish/semantic-release-action GitHub Action has been compromised

The Codfish/semantic-release-action GitHub Action has been compromised in a supply chain attack, potentially exposing secrets and allowing malicious code execution in workflows using the action. Users are advised to immediately audit usage and revoke any exposed credentials.

Background

- **Codfish/semantic-release-action** is a popular GitHub Action (an automation tool for GitHub repositories) that helps projects automatically create new software releases based on commit messages. It's used by many open-source projects. - **Semantic release** is a widely-used tool that automates the entire package release workflow (version bumping, changelog generation, git tagging, publishing to package registries) based on standardized commit formats (e.g., `fix:`, `feat:`, `BREAKING CHANGE`). - **Supply-chain compromise** means an attacker gained control of the maintainer's account (or the repository itself) and injected malicious code into the action. Anyone who ran this action in their CI/CD pipeline after the compromise could have had secrets (like API tokens, signing keys, or npm credentials) exfiltrated or had malware installed. - This specific attack follows a growing pattern: attackers target trusted open-source automation tools and CI/CD pipelines because a single compromised action can distribute malware to thousands of downstream projects that automatically depend on it.