CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

A widely used GitHub Action called actions-cool/issues-helper has been compromised, with every version tag in the repository silently redirected to a malicious commit. The attack places stolen CI/CD pipeline credentials directly in the hands of an attacker, raising serious concerns for development teams around the world that rely on this action in their automated workflows. […] The post Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain appeared first on Cyber Security

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain By Tushar Subhra Dutta May 19, 2026 A widely used GitHub Action called actions-cool/issues-helper has been compromised, with every version tag in the repository silently redirected to a malicious commit. The attack places stolen CI/CD pipeline credentials directly in the hands of an attacker, raising serious concerns for development teams around the world that rely on this action in their automated workflows. The compromise works in a deceptively simple way. An attacker gained the ability to move tags inside the repository and re-pointed all 53 existing version tags to a single imposter commit that does not appear anywhere in the repository’s normal code history. Any team whose workflow references this action by a version tag will unknowingly pull and execute the malicious code the next time their pipeline runs. Only workflows pinned to a specific, known-good commit hash remain fully unaffected. Researchers at StepSecurity identified the attack and published a detailed report on May 18, 2026.  StepSecurity said in a report shared with Cyber Security News (CSN) that the malicious commit uses the open-source Bun JavaScript runtime to execute a payload that reads directly from the memory of the Runner.Worker process, which is the component inside GitHub’s pipeline infrastructure that holds decrypted workflow secrets during a job run. A second action from the same organization, actions-cool/maintain-one-comment, was also hit using the exact same technique. All 15 of its version tags were moved to imposter commits, with stolen data being sent to the same attacker-controlled domain. The speed of the operation was striking: all 53 imposter commits for issues-helper were created within a window of just three minutes and sixteen seconds, and all 15 for maintain-one-comment were created in under forty seconds. The incident follows a growing pattern of supply chain attacks targeting developer tooling, where adversaries look for high-leverage entry points that can compromise many organizations at once through a single poisoned dependency. CI/CD pipelines have become a favored target because they often hold powerful credentials for cloud services, code repositories, and deployment systems. How the Attack Harvests Secrets Once the malicious commit runs inside a GitHub Actions pipeline, it kicks off a carefully staged sequence of steps. The payload first downloads the Bun JavaScript runtime to the runner environment, then spawns a Python process that reads the memory address space of the Runner.Worker process, specifically through the /proc/<PID>/mem path. This is the location where GitHub Actions stores decrypted workflow secrets while a job is actively running. A workflow run that referenced the compromised action was cancelled by stepsecurity-app[bot] before any malicious code could execute — the Compromised Actions Policy in action (Source – StepSecurity) The payload then filters that memory dump using standard Unix tools, extracting any value labeled with the internal flag “isSecret”:true. From there, it pulls the GitHub authentication token and escalates privileges via sudo python3 before sending the collected credentials over an outbound HTTPS connection on port 443 to the attacker’s domain, t.m-kosche.com. GitHub’s own repository interface flagged the imposter commit 1c9e803 with a warning that it does not belong to any branch, yet it stayed reachable through the moved tags. Detection and Recommended Steps StepSecurity’s Harden-Runner tool detected the attack in real time by flagging the Bun download, the suspicious memory read process, and the unexpected outbound network call to t.m-kosche.com. Workflows running behind Harden-Runner had the attacker’s domain automatically blocked at the network level, meaning credentials could not leave the runner even if the malicious code fully executed. The attacker attempted to blend in by giving each imposter commit a fake message styled after the legitimate maintainer’s release notes, but the tightly clustered creation timestamps exposed the fraud immediately. Teams using either affected action are strongly advised to pin their workflows to a full, verified commit SHA rather than a floating version tag, since tags can be silently moved without any notification to consumers. Security teams should audit recent workflow runs that referenced actions-cool/issues-helper or actions-cool/maintain-one-comment, and treat any exposed tokens or secrets as completely compromised. Rotating all pipeline secrets is the safest and most urgent step to take. Any outbound traffic to t.m-kosche.com observed in CI/CD logs should be treated as a confirmed sign of credential theft. Indicators of Compromise (IoCs):- Type Indicator Description Domain t.m-kosche.com Attacker-controlled exfiltration domain; receives encoded credentials harvested from Runner.Worker memory File Path /home/runner/.bun/bin/bun Path where the Bun JavaScript runtime is downloaded by the malicious payload File Path /proc/<Runner.Worker PID>/mem Memory path read by the malicious Python child process to scrape decrypted secrets Process python3 (sudo) Escalated Python process used to read runner memory and pipe secret values Command gh auth token Command used to pull the GitHub authentication token from the runner Commit SHA 1c9e803c80cc7fed000022d4c94f4b5bc2e90 Primary imposter commit for actions-cool/issues-helper v3.8.0; flagged as dangling by GitHub Commit SHA f0448c62fc57b8a5ce23d8acd6e795cdd76a3 Imposter commit for actions-cool/issues-helper v3.7.6 Commit SHA 7f6120bb10c870b9fde146961a18e5bf0b3d4 Imposter commit for actions-cool/maintain-one-comment v3.3.0 Commit SHA 4a6ac28684e2b0c48d502b31363ec5dd72f9d Imposter commit for actions-cool/maintain-one-comment v3.2.1 Network Port 443 (HTTPS) outbound to t.m-kosche.com Channel used to exfiltrate harvested credentials from the runner File index.js (executed via bun) Entry point JavaScript file executed by the Bun runtime as part of the malicious  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers Dell Support assist Updates Forces Windows Systems to BSOD Loop Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks Latest News Cyber Security News Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup Cyber Security News Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks Cyber Security News New VoidStealer Malware Bypasses Chrome’s Protection to Steal User Data Cyber Security News Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets Cyber Security News Microsoft to Retire Teams Together Mode to Enhance Performance Improvements
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗