A recent software supply chain attack has targeted widely used GitHub Actions workflows, raising concerns around the security of development environments and CI/CD infrastructure used by software teams globally. Threat actors reportedly compromised the GitHub Action workflow actions-cool/issues-helper, introducing malicious code capable of harvesting sensitive credentials and transmitting them to an attacker controlled server. Security researchers have indicated that the attack involved the manipulation of repository tags, enabling malicious code execution within automated development workflows that rely on the affected GitHub Actions.
According to findings shared by cybersecurity firm StepSecurity, every existing tag within the affected repository was redirected to an imposter commit that does not appear in the project’s standard commit history. Security researcher Varun Sharma explained that the altered commit contained code specifically designed to exfiltrate credentials from CI/CD pipelines that execute the action. The compromise reportedly impacts automated workflows that reference the GitHub Action through version tags, potentially exposing authentication credentials used during software development and deployment processes. Researchers noted that an imposter commit represents a deceptive software supply chain tactic where malicious code is introduced by pointing to a commit or tag existing only in an adversary controlled fork rather than the legitimate trusted repository. This method can allow attackers to bypass normal pull request reviews and potentially execute arbitrary code within affected environments.
StepSecurity further disclosed that the malicious commit executes several actions once triggered inside a GitHub Actions runner environment. The code reportedly downloads the Bun JavaScript runtime to the affected runner, reads memory from the Runner.Worker process to extract credentials, and establishes outbound HTTPS communication with an attacker controlled domain identified as t.m-kosche[.]com to transmit stolen information. Researchers also found that another GitHub Action, actions-cool/maintain-one-comment, experienced a similar compromise, with 15 associated tags reportedly modified to include the same malicious functionality. Due to a reported violation of GitHub’s terms of service, access to the repository has since been disabled, although details surrounding the exact reason behind the action remain unclear.
Cybersecurity researchers have also observed links between this incident and a broader threat campaign known as Mini Shai Hulud, which recently targeted npm packages within the @antv ecosystem. The shared use of the same exfiltration domain has raised the possibility that the two incidents may be connected. In comments shared with cybersecurity publication The Hacker News, Philipp Burckhardt, Head of Threat Intelligence at Socket, stated that the overlap in infrastructure strongly suggests a relationship between the GitHub Actions compromise and the npm package campaign. Researchers continue to assess the initial access path used by attackers, although evidence currently points toward related activity clusters rather than separate isolated incidents. StepSecurity warned that because every affected tag now resolves to malicious commits, workflows referencing version tags could unknowingly execute compromised code during subsequent runs, while environments pinned to known safe full commit SHA references remain unaffected.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
