GitHub Actions tags redirected to imposter commits — CI/CD credentials exfiltrated

Colleagues, I’d like to highlight a cybersecurity incident: the GitHub Action actions-cool/issues-helper has been compromised. StepSecurity found that all tags point to imposter commits containing malicious code that downloads Bun, reads Runner.Worker memory to extract credentials, and exfiltrates them to t.m-kosche[.]com. Fifteen tags of actions-cool/maintain-one-comment are also compromised; GitHub has disabled access. Only workflows pinned to the full SHA remain safe. Why this matters: attackers gain code execution in CI/CD, steal credentials, and threaten the software supply chain. Do you pin actions to full SHAs or plan alternative mitigations? #cybersecurity #supplychain #CI_CD #GitHubActions


Latest comments
No comments yet.