GitHub: Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

GitHub Actions Workflow Compromised in Supply Chain Attack

Threat actors have executed a software supply chain attack by compromising the popular GitHub Actions workflow actions-cool/issues-helper, injecting malicious code to harvest sensitive credentials from CI/CD pipelines. Security firm StepSecurity discovered that all existing tags in the repository were redirected to an "imposter commit" a deceptive tactic where malicious code is inserted via an attacker-controlled fork, bypassing standard pull request reviews.

The malicious commit, executed within GitHub Actions runners, performs the following actions:

Downloads the Bun JavaScript runtime to the runner.
Extracts credentials from the Runner.Worker process memory.
Exfiltrates stolen data via HTTPS to an attacker-controlled domain (t.m-kosche[.]com).

A second GitHub action, actions-cool/maintain-one-comment, was also compromised, with 15 tags altered to include the same malicious functionality. GitHub has since disabled access to the repository for violating its terms of service, though the exact reason remains unclear.

The exfiltration domain has been linked to the Mini Shai-Hulud campaign, which recently targeted npm packages in the @antv ecosystem, suggesting a potential connection between the two incidents. Threat intelligence firm Socket confirmed the overlap, indicating the attacks are likely part of the same activity cluster, though the initial access vector remains under investigation.

Workflows referencing the compromised actions by version tag will automatically pull the malicious code on their next run. Only those pinned to a known-good full commit SHA remain unaffected.

Source: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html

GitHub TPRM report: https://www.rankiteo.com/company/github

"id": "git1779179198",
"linkid": "github",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Users of compromised GitHub '
                                              'Actions workflows',
                        'industry': 'Technology/Software Development',
                        'name': 'GitHub Actions workflows '
                                '(*actions-cool/issues-helper*, '
                                '*actions-cool/maintain-one-comment*)',
                        'type': 'Software/DevOps Tool'}],
 'attack_vector': 'Malicious code injection via compromised GitHub Actions '
                  'workflow',
 'data_breach': {'data_exfiltration': 'Yes (via HTTPS to t.m-kosche[.]com)',
                 'sensitivity_of_data': 'High (credentials, secrets)',
                 'type_of_data_compromised': 'Credentials, CI/CD pipeline '
                                             'secrets'},
 'description': 'Threat actors executed a software supply chain attack by '
                'compromising the GitHub Actions workflow '
                '*actions-cool/issues-helper*, injecting malicious code to '
                'harvest sensitive credentials from CI/CD pipelines. The '
                'malicious commit downloads the Bun JavaScript runtime, '
                'extracts credentials from the Runner.Worker process memory, '
                'and exfiltrates stolen data via HTTPS to an '
                'attacker-controlled domain. A second GitHub action, '
                '*actions-cool/maintain-one-comment*, was also compromised '
                'with the same malicious functionality.',
 'impact': {'data_compromised': 'Sensitive credentials from CI/CD pipelines',
            'identity_theft_risk': 'High (credentials harvested)',
            'operational_impact': 'Compromised workflows may execute malicious '
                                  'code',
            'systems_affected': 'GitHub Actions runners, CI/CD pipelines'},
 'initial_access_broker': {'entry_point': 'Compromised GitHub Actions workflow '
                                          'via attacker-controlled fork',
                           'high_value_targets': 'CI/CD pipelines, '
                                                 'credentials'},
 'investigation_status': 'Ongoing (initial access vector under investigation)',
 'post_incident_analysis': {'corrective_actions': 'Pin workflows to known-good '
                                                  'full commit SHA, monitor '
                                                  'for malicious activity',
                            'root_causes': 'Deceptive imposter commit, lack of '
                                           'workflow pinning to full commit '
                                           'SHA'},
 'recommendations': 'Pin GitHub Actions workflows to known-good full commit '
                    'SHA to avoid malicious code execution.',
 'references': [{'source': 'StepSecurity'}, {'source': 'Socket'}],
 'response': {'containment_measures': 'GitHub disabled access to the '
                                      'repository for terms of service '
                                      'violation',
              'remediation_measures': 'Pin workflows to known-good full commit '
                                      'SHA',
              'third_party_assistance': 'StepSecurity, Socket'},
 'threat_actor': 'Mini Shai-Hulud campaign',
 'title': 'GitHub Actions Workflow Compromised in Supply Chain Attack',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Deceptive imposter commit via attacker-controlled '
                            'fork'}

GitHub: Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

Morocco: Digital Sovereignty: Morocco Should Embrace Cybersecurity as a Pillar of National Power

1-Grid: Large-scale DDoS attack hits web host 1-Grid

Microsoft: How Storm-2949 turned a compromised identity into a cloud-wide breach