Xygeni

Xygeni develops the xygeni/xygeni-action GitHub Action, a tool integrated into continuous integration and deployment pipelines on the GitHub platform. This action is used by development teams to automate software build, test, and deployment processes. The organization's activities center on this CI/CD tool, though specific market reach, customer base, or quantitative scale details are not provided in available information. The company is known by the alias Xygeni, and its primary operational footprint appears tied to the distribution and maintenance of this specific GitHub Action within the software development ecosystem.

In early March 2026, Xygeni experienced a significant security incident involving its flagship GitHub Action. Attackers compromised the xygeni/xygeni-action repository through a tag poisoning attack, a method that manipulates version tags to distribute malicious code under the guise of legitimate updates. The attackers injected a command-and-control (C2) implant into the v5 tag of the action. This malicious version was published on March 3, 2026, and remained active until March 10, 2026, affecting any workflows configured to use the @v5 tag during that period. Xygeni's security team detected the compromise and promptly removed the malicious v5 tag from the repository. The company confirmed that there was no evidence of compromise to the GitHub platform itself or to customer data. The incident underscores the vulnerability of software supply chains to tampering with versioned releases and highlights the importance of rigorous monitoring for distribution channels. Xygeni's response demonstrated an ability to identify and mitigate threats in their release process, though no further technical details about the attack vector or the C2 implant's specific capabilities are disclosed in the incident summary.