Skip to main content
Back to Blog
Threat Intel

simonecorsi/mawesome GitHub Action has been compromised

On June 24, 2026, an attacker compromised the simonecorsi/mawesome GitHub repository. They force-pushed malicious commits and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.
Varun Sharma

June 24, 2026

Table of Contents
Loading nav...

On June 24, 2026, an attacker compromised the simonecorsi/mawesome GitHub repository. They force-pushed malicious commits and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.

The attack method is very similar to the codfish/semantic-release-action GitHub Actions compromise from earlier today.

This is a developing story.

Acknowledgement

Thanks to Sean Smith for sharing information about this compromise.

Blog

Explore Related Posts

simonecorsi/mawesome GitHub Action has been compromised

On June 24, 2026, an attacker compromised the simonecorsi/mawesome GitHub repository. They force-pushed malicious commits and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.

Varun Sharma

June 24, 2026

Read

codfish/semantic-release-action GitHub Action has been compromised

On June 24, 2026, an attacker compromised the codfish/semantic-release-action GitHub repository. At 15:39:06 UTC they force-pushed a malicious commit and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.

Rohan Prabhu

June 24, 2026

Read

15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers

A coordinated 8-month supply chain attack planted credential-stealing code inside fake AI coding assistants on the JetBrains Marketplace, quietly exfiltrating OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing -- which our investigation found still operational today.

Ashish Kurmi

June 18, 2026

Read
StepSecurity | Home
Request a Demo
Start Free
System StatusTrust Center
DocsPricing
Contact UsProduct Tour
© 2026 All rights reserved
Privacy Policy
Terms of Service