A significant security breach has affected a popular GitHub Action, actions-cool/issues-helper, which has been manipulated to redirect all its version tags to a malicious commit. This compromise places critical CI/CD credentials at risk, posing a threat to numerous development teams worldwide that depend on this automation tool.
Understanding the Breach
The attack was orchestrated through an unauthorized repositioning of tags within the GitHub repository, redirecting all 53 existing version tags to a single, malicious commit. This commit is absent from the standard code history, making it difficult to detect for teams using this action. The attack affects any workflow that references these version tags, executing malicious code during the next pipeline run. Only workflows linked to a specific, verified commit hash remain unaffected.
StepSecurity researchers uncovered this breach and detailed their findings in a report released on May 18, 2026. The report highlights how the malicious commit uses the Bun JavaScript runtime to access the Runner.Worker process’s memory, exposing decrypted workflow secrets during job execution.
Attack Methodology and Impact
Alongside actions-cool/issues-helper, another GitHub Action, actions-cool/maintain-one-comment, faced a similar attack. All 15 of its tags were redirected to imposter commits, with the extracted data being sent to the same attacker-controlled domain. The operation’s swiftness is notable, with all imposter commits being created in mere minutes.
This incident is part of a broader trend in supply chain attacks targeting developer tools. Such attacks seek to exploit central points of access to compromise multiple organizations simultaneously, with CI/CD pipelines being particularly vulnerable due to their access to critical credentials for cloud services, code repositories, and deployment systems.
Security Measures and Recommendations
The malicious payload initiates a series of steps once executed within a GitHub Actions pipeline. It downloads the Bun runtime to the runner, launches a Python process to read the Runner.Worker memory through the /proc//mem path, and extracts secrets labeled with the internal flag “isSecret”:true. The extracted credentials are then transmitted via an outbound HTTPS connection to the attacker’s domain, t.m-kosche.com.
StepSecurity’s Harden-Runner tool detected these activities in real-time, blocking the attacker’s domain at the network level. The imposter commit’s creation timestamps, styled after legitimate maintainer messages, were quickly identified as fraudulent.
Development teams using the affected actions should bind their workflows to verified commit SHAs instead of version tags, which can be silently altered. Security reviews of recent workflows using actions-cool/issues-helper or actions-cool/maintain-one-comment are crucial, and any compromised tokens should be promptly rotated. Observing outbound traffic to t.m-kosche.com in CI/CD logs indicates credential theft.
Following these security practices can help mitigate the risks posed by such attacks, ensuring the protection of sensitive data and maintaining the integrity of development workflows.
