RSS

Actions-cool/issues-helper GitHub Action Compromised

choult2 pts0 comments

actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials - StepSecurity

Customers

Pricing

Resources

Company

Request a Demo<br>Login

Customers

Pricing

Resources

Company

Start Free

Login

Back to Blog

Threat Intel

actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a single imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.

Varun Sharma<br>View LinkedIn

May 18, 2026

Share on X<br>Share on X<br>Share on LinkedIn<br>Share on Facebook<br>Follow our RSS feed

Table of Contents

Loading nav...

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a imposter commits that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.<br>Because every tag now resolves to malicious commits, any workflow that references the action by version pulls the malicious code on its next run. Only workflows pinned to a known-good full commit SHA are unaffected.<br>A second action in the same organization, actions-cool/maintain-one-comment, has also been compromised by the same actor using the identical pattern - every tag moved to an imposter commit, same bun + Runner.Worker memory-read payload, and the same exfiltration domain t.m-kosche.com. Everything below about detection, IOCs, and remediation applies equally to maintain-one-comment. We have notified the maintainers via GitHub issue #11.<br>What Happened<br>An attacker gained the ability to move tags in the actions-cool/issues-helper repository.<br>All tags were re-pointed to a imposter commits - a commit that is not reachable from the action's default branch history.<br>That imposter commit contains malicious code that, when executed inside a GitHub Actions runner:Downloads the bun JavaScript runtime to the runner.<br>Reads memory from the Runner.Worker process — the process that holds the workflow's decrypted secrets — to harvest credentials.<br>Makes an outbound HTTPS call to an attacker-controlled domain to exfiltrate the stolen data.

The actions-cool/issues-helper Tags page on GitHub. Every release tag was updated within the same hour<br>The imposter commit 1c9e803 with GitHub's own warning: it does not belong to any branch on the repository. Tags now resolve to this dangling commit.You can see this behavior in a controlled Harden-Runner test run here: https://app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/26056902433<br>Harden-Runner captured the bun download, the Runner.Worker memory read, and the outbound call to t.m-kosche.com.

Harden-Runner Insights flags the actions-cool/issues-helper@v3 step with an Imposter Commit badge and a Suspicious Processes warning the moment the workflow runs.<br>The malicious payload spawns python3 and reads /proc/2119/mem — the address space of the Runner.Worker process — to scrape decrypted secrets directly out of runner memory.‍

The bun runtime executes the action's index.js and spawns child processes that pull a GitHub auth token (gh auth token), escalate via sudo python3, and pipe the memory dump through tr/grep to extract anything tagged "isSecret":true.<br>Harden-Runner's network monitor catches the bun process making an anomalous outbound call to t.m-kosche.com — the destination for the exfiltrated secrets.How StepSecurity Is Protecting Customers<br>1. Compromised Actions Policy — Blocks the Run<br>StepSecurity has added actions-cool/issues-helper to its Compromised Actions Policy . For any enterprise customer with this policy enabled, any workflow run that references this action will be blocked before it executes , preventing the malicious code from ever running in the customer's CI/CD environment.

A workflow run that referenced the compromised action was cancelled by stepsecurity-app[bot] before any malicious code could execute — the Compromised Actions Policy in action.2. Harden-Runner Global Block List — Blocks the Exfiltration<br>StepSecurity has added the attacker's exfiltration domain to the Harden-Runner global block list . Any workflow protected by Harden-Runner will automatically block outbound connections to this domain - even in audit mode, and without any per-workflow configuration. This gives customers defense-in-depth: even if a compromised action somehow runs, the credentials cannot leave the runner.

The Harden-Runner organization baseline surfaces every job that has called t.m-kosche.com under the IOC matches view, labelled with the incident name — making it trivial to identify which workflows and runners need attention.3. Imposter...

action actions runner commit compromised github

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.