Compromised GitHub Action Exfiltrates Workflow Credentials to

A widely used GitHub Action, actions-cool/issues-helper, has been compromised. Every version tag in its repository was silently redirected to a malicious commit, a significant supply chain attack detailed in a [comprehensive security analysis](https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/

The attack places stolen CI/CD pipeline credentials directly in the hands of an attacker, raising serious concerns for development teams around the world that rely on this action in their automated workflows.

The compromise works in a deceptively simple way. An attacker gained the ability to move tags inside the repository and re-pointed all 53 existing version tags to a single imposter commit that does not appear anywhere in the repository’s normal code history.

Any team whose workflow references this action by a version tag will unknowingly pull and execute the malicious code the next time their pipeline runs. Only workflows pinned to a specific, known-good commit hash remain fully unaffected.

Researchers at StepSecurity identified the attack and published a detailed report on May 18, 2026. 

StepSecurity said in a report shared with Cyber Security News (CSN) that the malicious commit uses the open-source Bun JavaScript runtime to execute a payload that reads directly from the memory of the Runner.Worker process, which is the component inside GitHub’s pipeline infrastructure that holds decrypted workflow secrets during a job run.

A second action from the same organization, actions-cool/maintain-one-comment, was also hit using the exact same technique.

All 15 of its version tags were moved to imposter commits, with stolen data being sent to the same attacker-controlled domain.

The speed of the operation was striking: all 53 imposter commits for issues-helper were created within a window of just three minutes and sixteen seconds, and all 15 for maintain-one-comment were created in under forty seconds.

The incident follows a growing pattern of supply chain attacks targeting developer tooling, where adversaries look for high-leverage entry points that can compromise many organizations at once through a single poisoned dependency.

CI/CD pipelines have become a favored target because they often hold powerful credentials for cloud services, code repositories, and deployment systems.

How the Attack Harvests Secrets

Once the malicious commit runs inside a GitHub Actions pipeline, it kicks off a carefully staged sequence of steps.

The payload first downloads the Bun JavaScript runtime to the runner environment, then spawns a Python process that reads the memory address space of the Runner.Worker process, specifically through the /proc/<PID>/mem path.

This is the location where GitHub Actions stores decrypted workflow secrets while a job is actively running.

The payload then filters that memory dump using standard Unix tools, extracting any value labeled with the internal flag “isSecret”:true.

From there, it pulls the GitHub authentication token and escalates privileges via sudo python3 before sending the collected credentials over an outbound HTTPS connection on port 443 to the attacker’s domain, t.m-kosche.com.

GitHub’s own repository interface flagged the imposter commit 1c9e803 with a warning that it does not belong to any branch, yet it stayed reachable through the moved tags.

Detection and Recommended Steps

StepSecurity’s Harden-Runner tool detected the attack in real time by flagging the Bun download, the suspicious memory read process, and the unexpected outbound network call to t.m-kosche.com.

Workflows running behind Harden-Runner had the attacker’s domain automatically blocked at the network level, meaning credentials could not leave the runner even if the malicious code fully executed.

The attacker attempted to blend in by giving each imposter commit a fake message styled after the legitimate maintainer’s release notes, but the tightly clustered creation timestamps exposed the fraud immediately.

Teams using either affected action are strongly advised to pin their workflows to a full, verified commit SHA rather than a floating version tag, since tags can be silently moved without any notification to consumers.

Security teams should audit recent workflow runs that referenced actions-cool/issues-helper or actions-cool/maintain-one-comment, and treat any exposed tokens or secrets as completely compromised.

Rotating all pipeline secrets is the safest and most urgent step to take. Any outbound traffic to t.m-kosche.com observed in CI/CD logs should be treated as a confirmed sign of credential theft.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.