In a recent cyberattack targeting software supply chains, malicious actors have compromised a popular GitHub Actions workflow, known as actions-cool/issues-helper. This breach resulted in the execution of harmful code, aimed at gathering sensitive credentials and redirecting them to a server managed by attackers.
According to Varun Sharma, a researcher at StepSecurity, the breach involved redirecting all existing tags in the repository to an imposter commit. This commit, which isn’t part of the action’s original commit history, includes code that siphons off credentials from CI/CD pipelines using this action.
Understanding the Imposter Commit Strategy
An imposter commit represents a sophisticated software supply chain attack method. By injecting malicious code into a project, attackers use a commit or tag existing only in a fork they control, circumventing customary Pull Request (PR) reviews. This tactic allows them to execute arbitrary code without detection.
The malicious code embedded in the imposter commit initiates several actions once executed in a GitHub Actions runner. It downloads the Bun JavaScript runtime, extracts credentials from the Runner.Worker process, and sends the stolen data to a domain controlled by the attackers.
Extent of the Compromise
StepSecurity has reported that not only was the actions-cool/issues-helper affected, but 15 tags of another GitHub action, “actions-cool/maintain-one-comment,” were also compromised with similar malicious functionality. Due to these violations, GitHub has disabled access to the affected repository, though the exact reasons for this decision by the Microsoft-owned platform remain unclear.
Interestingly, the domain used for data exfiltration has connections to the ongoing Mini Shai-Hulud campaign, targeting npm packages from the @antv ecosystem. This suggests a possible link between the two malicious activities.
Impact on Workflows and Security Recommendations
As StepSecurity noted, any workflows referencing the compromised action by version will automatically pull in the malicious code. However, workflows pinned to a specific, verified commit SHA will remain secure from this threat.
This incident underscores the importance of vigilance in software development environments, especially when using third-party actions in CI/CD pipelines. Developers are advised to routinely audit their workflows, ensure dependencies are secure, and consider pinning actions to known-safe commits.
Going forward, organizations must strengthen their security protocols to mitigate such risks and protect their software supply chains from similar attacks.
