A widely used GitHub Action called actions-cool/issues-helper has been compromised, with every version tag in the repository silently redirected to a malicious commit.
The attack places stolen CI/CD pipeline credentials directly in the hands of an attacker, raising serious concerns for development teams around the world that rely on this action in their automated workflows.
The compromise works in a deceptively simple way. An attacker gained the ability to move tags inside the repository and re-pointed all 53 existing version tags to a single imposter commit that does not appear anywhere in the repository’s normal code history.
Any team whose workflow references this action by a version tag will unknowingly pull and execute the malicious code the next time their pipeline runs. Only workflows pinned to a specific, known-good commit hash remain fully unaffected.
Researchers at StepSecurity identified the attack and published a detailed report on May 18, 2026.
StepSecurity said in a report shared with Cyber Security News (CSN) that the malicious commit uses the open-source Bun JavaScript runtime to execute a payload that reads directly from the memory of the Runner.Worker process, which is the component inside GitHub’s pipeline infrastructure that holds decrypted workflow secrets during a job run.
A second action from the same organization, actions-cool/maintain-one-comment, was also hit using the exact same technique.
All 15 of its version tags were moved to imposter commits, with stolen data being sent to the same attacker-controlled domain.
The speed of the operation was striking: all 53 imposter commits for issues-helper were created within a window of just three minutes and sixteen seconds, and all 15 for maintain-one-comment were created in under forty seconds.
The incident follows a growing pattern of supply chain attacks targeting developer tooling, where adversaries look for high-leverage entry points that can compromise many organizations at once through a single poisoned dependency.
CI/CD pipelines have become a favored target because they often hold powerful credentials for cloud services, code repositories, and deployment systems.
How the Attack Harvests Secrets
Once the malicious commit runs inside a GitHub Actions pipeline, it kicks off a carefully staged sequence of steps.
The payload first downloads the Bun JavaScript runtime to the runner environment, then spawns a Python process that reads the memory address space of the Runner.Worker process, specifically through the /proc/<PID>/mem path.
This is the location where GitHub Actions stores decrypted workflow secrets while a job is actively running.
A workflow run that referenced the compromised action was cancelled by stepsecurity-app[bot] before any malicious code could execute — the Compromised Actions Policy in action (Source – StepSecurity)
The payload then filters that memory dump using standard Unix tools, extracting any value labeled with the internal flag “isSecret”:true.
From there, it pulls the GitHub authentication token and escalates privileges via sudo python3 before sending the collected credentials over an outbound HTTPS connection on port 443 to the attacker’s domain, t.m-kosche.com.
GitHub’s own repository interface flagged the imposter commit 1c9e803 with a warning that it does not belong to any branch, yet it stayed reachable through the moved tags.
Detection and Recommended Steps
StepSecurity’s Harden-Runner tool detected the attack in real time by flagging the Bun download, the suspicious memory read process, and the unexpected outbound network call to t.m-kosche.com.
Workflows running behind Harden-Runner had the attacker’s domain automatically blocked at the network level, meaning credentials could not leave the runner even if the malicious code fully executed.
The attacker attempted to blend in by giving each imposter commit a fake message styled after the legitimate maintainer’s release notes, but the tightly clustered creation timestamps exposed the fraud immediately.
Teams using either affected action are strongly advised to pin their workflows to a full, verified commit SHA rather than a floating version tag, since tags can be silently moved without any notification to consumers.
Security teams should audit recent workflow runs that referenced actions-cool/issues-helper or actions-cool/maintain-one-comment, and treat any exposed tokens or secrets as completely compromised.
Rotating all pipeline secrets is the safest and most urgent step to take. Any outbound traffic to t.m-kosche.com observed in CI/CD logs should be treated as a confirmed sign of credential theft.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomaint.m-kosche.comAttacker-controlled exfiltration domain; receives encoded credentials harvested from Runner.Worker memoryFile Path/home/runner/.bun/bin/bunPath where the Bun JavaScript runtime is downloaded by the malicious payloadFile Path/proc/<Runner.Worker PID>/memMemory path read by the malicious Python child process to scrape decrypted secretsProcesspython3 (sudo)Escalated Python process used to read runner memory and pipe secret valuesCommandgh auth tokenCommand used to pull the GitHub authentication token from the runnerCommit SHA1c9e803c80cc7fed000022d4c94f4b5bc2e90Primary imposter commit for actions-cool/issues-helper v3.8.0; flagged as dangling by GitHubCommit SHAf0448c62fc57b8a5ce23d8acd6e795cdd76a3Imposter commit for actions-cool/issues-helper v3.7.6Commit SHA7f6120bb10c870b9fde146961a18e5bf0b3d4Imposter commit for actions-cool/maintain-one-comment v3.3.0Commit SHA4a6ac28684e2b0c48d502b31363ec5dd72f9dImposter commit for actions-cool/maintain-one-comment v3.2.1NetworkPort 443 (HTTPS) outbound to t.m-kosche.comChannel used to exfiltrate harvested credentials from the runnerFileindex.js (executed via bun)Entry point JavaScript file executed by the Bun runtime as part of the malicious
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain appeared first on Cyber Security News.
