SUP-ACTION-TAG-MUTATIONPersistence

GitHub Action Tag Mutation

GitHub Action references are tags, not immutable commits — attacker who controls the action repo can mutate a tag (v3) to a malicious commit.

§ Where this technique fits

SUP-ACTION-TAG-MUTATION is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

GitHub Action tag mutation → silent supply-chain hijack
Target pins an action by tag (uses: org/action@v3). Compromise the action repo and move the v3 tag to a malicious commit — every workflow using it pulls in the backdoor.
step 3 / 5
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
step 5 / 7

§ What commonly comes next

01
Application Layer Protocol
T1071 · Command and Control
seen 1×
02
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

GitHub Action tag mutation → silent supply-chain hijack

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

§ What commonly comes next