GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

A software supply chain attack compromised the GitHub Actions workflow actions-cool/issues-helper, using imposter commits and poisoned tags to steal credentials from CI/CD pipelines. StepSecurity also found 15 compromised tags in actions-cool/maintain-one-comment, while the exfiltration domain t.m-kosche[.]com may be linked to the Mini Sha-Hulud campaign. #actions-cool/issues-helper #actions-cool/maintain-one-comment #StepSecurity #MiniSha-Hulud

Keypoints

Threat actors compromised actions-cool/issues-helper with malicious code hidden in an imposter commit.
Every existing tag in the repository was moved to point to the malicious commit.
The code downloads the Bun JavaScript runtime on GitHub Actions runners.
It reads Runner.Worker memory to extract credentials from CI/CD pipelines.
GitHub disabled access to the repository, and related activity may be tied to Mini Sha-Hulud.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print