A supply chain attack compromised the GitHub Actions workflows `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` via an imposter commit strategy, altering all repository tags to point to malicious code. This code, when executed in a GitHub Actions runner, downloads the Bun runtime to harvest and exfiltrate credentials from the Runner.Worker process. Any workflow referencing the compromised action by version is vulnerable; only workflows pinned to a specific commit SHA remain unaffected, and GitHub has disabled access to the affected repositories.
Supply chain GitHub Actions workflow compromised to steal CI/CD credentials May 19, 2026 Share By SC Staff (Adobe Stock) Based on information from The Hacker News, a popular GitHub Actions workflow, actions-cool/issues-helper, has been compromised by threat actors who injected malicious code to harvest sensitive credentials. The attack involves an "imposter commit" strategy where all existing tags in the repository were altered to point to a malicious commit. This commit contains code that, when executed within a GitHub Actions runner, downloads the Bun JavaScript runtime, extracts credentials from the Runner.Worker process, and exfiltrates the data to an attacker-controlled domain, t.m-kosche[.]com. A second GitHub action, actions-cool/maintain-one-comment, was also compromised with similar functionality. GitHub has since disabled access to the affected repositories due to a terms of service violation. The exfiltration domain has previously been observed in the Mini Shai-Hulud campaign, suggesting a potential link between the two activities. Any workflow referencing the compromised action by version is vulnerable, with only those pinned to a specific commit SHA remaining unaffected. Source: The Hacker News SC Staff Related Supply chain A 6-step guide for responding to the Foxconn ransomware/supply chain incident David Balaban May 19, 2026 Here’s how to develop a more effective response to supply chain attacks. Critical Infrastructure Security TeamPCP releases ‘vibe coded’ Shai-Hulud source code, issues challenge Laura French May 15, 2026 The variant was used in recent attacks against TanStack and others – but it’s not the original, researchers say. Supply chain RubyGems pauses new account sign-ups amid major malicious attack SC Staff May 13, 2026 The attack has led to the involvement of hundreds of packages, with many directly targeted and some containing exploits. Related Events Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds