Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
GitHub Action Hack Exposes Developer Credentials

GitHub Action Hack Exposes Developer Credentials

Posted on May 19, 2026 By CWS

A significant security breach has affected a popular GitHub Action, actions-cool/issues-helper, which has been manipulated to redirect all its version tags to a malicious commit. This compromise places critical CI/CD credentials at risk, posing a threat to numerous development teams worldwide that depend on this automation tool.

Understanding the Breach

The attack was orchestrated through an unauthorized repositioning of tags within the GitHub repository, redirecting all 53 existing version tags to a single, malicious commit. This commit is absent from the standard code history, making it difficult to detect for teams using this action. The attack affects any workflow that references these version tags, executing malicious code during the next pipeline run. Only workflows linked to a specific, verified commit hash remain unaffected.

StepSecurity researchers uncovered this breach and detailed their findings in a report released on May 18, 2026. The report highlights how the malicious commit uses the Bun JavaScript runtime to access the Runner.Worker process’s memory, exposing decrypted workflow secrets during job execution.

Attack Methodology and Impact

Alongside actions-cool/issues-helper, another GitHub Action, actions-cool/maintain-one-comment, faced a similar attack. All 15 of its tags were redirected to imposter commits, with the extracted data being sent to the same attacker-controlled domain. The operation’s swiftness is notable, with all imposter commits being created in mere minutes.

This incident is part of a broader trend in supply chain attacks targeting developer tools. Such attacks seek to exploit central points of access to compromise multiple organizations simultaneously, with CI/CD pipelines being particularly vulnerable due to their access to critical credentials for cloud services, code repositories, and deployment systems.

Security Measures and Recommendations

The malicious payload initiates a series of steps once executed within a GitHub Actions pipeline. It downloads the Bun runtime to the runner, launches a Python process to read the Runner.Worker memory through the /proc//mem path, and extracts secrets labeled with the internal flag “isSecret”:true. The extracted credentials are then transmitted via an outbound HTTPS connection to the attacker’s domain, t.m-kosche.com.

StepSecurity’s Harden-Runner tool detected these activities in real-time, blocking the attacker’s domain at the network level. The imposter commit’s creation timestamps, styled after legitimate maintainer messages, were quickly identified as fraudulent.

Development teams using the affected actions should bind their workflows to verified commit SHAs instead of version tags, which can be silently altered. Security reviews of recent workflows using actions-cool/issues-helper or actions-cool/maintain-one-comment are crucial, and any compromised tokens should be promptly rotated. Observing outbound traffic to t.m-kosche.com in CI/CD logs indicates credential theft.

Following these security practices can help mitigate the risks posed by such attacks, ensuring the protection of sensitive data and maintaining the integrity of development workflows.

Cyber Security News Tags:Bun JavaScript, CI/CD, Credentials, Cybersecurity, developer tools, Exfiltration, GitHub, Harden-Runner, malicious commit, Runner.Worker, security breach, StepSecurity, supply chain attack, token theft, workflow secrets

Post navigation

Previous Post: Critical ChromaDB Flaw Enables Potential Server Takeover
Next Post: DirtyDecrypt Exploit PoC for Linux Kernel Vulnerability Released

Related Posts

Microsoft Confirms Recent Windows 11 24H2/25H2 and Server 2025 Update Breaks RemoteApp Connections Microsoft Confirms Recent Windows 11 24H2/25H2 and Server 2025 Update Breaks RemoteApp Connections Cyber Security News
New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator Cyber Security News
Kali Linux 2026.2 Launches with New Tools and Features Kali Linux 2026.2 Launches with New Tools and Features Cyber Security News
Lessons Learned from Massive npm Supply Chain Attack Using “Shai-Hulud” Self-Replicating Malware Lessons Learned from Massive npm Supply Chain Attack Using “Shai-Hulud” Self-Replicating Malware Cyber Security News
Lazarus Hackers Actively Attacking European Drone Manufacturing Companies Lazarus Hackers Actively Attacking European Drone Manufacturing Companies Cyber Security News
New Multi-Stage Tycoon2FA Phishing Attack Now Beats Top Security Systems New Multi-Stage Tycoon2FA Phishing Attack Now Beats Top Security Systems Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark