Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials — Ravie LakshmananMay 19, 2026Software Security / Malware [https://blogg
What’s new: A supply chain attack has compromised the GitHub Actions workflow “actions-cool/issues-helper,” redirecting all existing tags to an imposter commit that exfiltrates CI/CD credentials to an attacker-controlled server. The malicious code downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process to extract credentials, and sends the stolen data to the domain “t.m-kosche[.]com.” A similar compromise has been reported for another action, “actions-cool/maintain-one-comment.” GitHub has disabled access to these repositories due to violations of its terms of service.
Who’s affected
Any CI/CD pipelines that utilize the compromised GitHub Actions workflows without pinning to a known-good full commit SHA are at risk of credential theft.
What to do
- Review your CI/CD workflows and ensure that you are pinning to specific, known-good commit SHAs for any GitHub Actions used.
- Monitor for any unauthorized access or credential misuse in your systems.
- Stay updated on any further developments regarding the compromised actions and related threats.
