Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories actions-cool/issues-helper and actions-cool/maintain-one-comment by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the Bun JavaScript runtime, read memory from the GitHub Actions Runner.Worker process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain t.m-kosche[.]com; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner.
The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent Mini Shai-Hulud activity targeting npm packages in the @antv ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Researchers link exfiltration domain to Mini Shai-Hulud activity
The attacker-controlled domain t.m-kosche[.]com used in the GitHub Action compromise was reported as also appearing in the recent Mini Shai-Hulud campaign targeting npm packages in the @antv ecosystem. This suggested the two activity clusters may be related.
GitHub disables access to compromised actions-cool repository
GitHub disabled access to the affected repository for a terms-of-service violation after the malicious tag redirection was identified. The action's compromise had exposed CI/CD pipelines using version tags to attacker-controlled code.
Second actions-cool action found compromised with same payload
StepSecurity found that 15 tags for a second GitHub Action, actions-cool/maintain-one-comment, were also redirected to malicious imposter commits carrying the same credential-stealing functionality. This expanded the scope of the supply-chain compromise beyond the initially disclosed repository.
StepSecurity deploys mitigations for compromised GitHub Action
Following its advisory, StepSecurity said it added actions-cool/issues-helper to its Compromised Actions Policy, blocked the attacker domain through Harden-Runner, and used imposter commit detection to identify affected workflows. It also noted that workflows pinned to a known-good full commit SHA were unaffected.
StepSecurity discloses compromise of actions-cool/issues-helper tags
StepSecurity reported that all tags in the actions-cool/issues-helper GitHub Action repository had been moved to imposter commits outside the normal commit history. The malicious action was said to download Bun, read memory from the GitHub Actions Runner.Worker process to harvest decrypted secrets, and exfiltrate them over HTTPS to an attacker-controlled domain.
Affected organization classifies Maven Wrapper report as informative
The organization discussed in the pipeline poisoning research said the finding was informative rather than a vulnerability, stating that manual code review and branch protections were the intended trust boundary. The write-up warned that merged malicious wrapper changes could later execute in privileged release workflows and expose secrets.
Researcher demonstrates pipeline poisoning via modified Maven Wrapper
A security researcher showed that a GitHub Actions CI/CD pipeline could be abused through a Maven Wrapper configuration missing the distributionSha256Sum integrity check. By altering the mvnw script in a fork and submitting a pull request, the researcher achieved code execution on a GitHub-hosted runner and exfiltrated basic environment data as proof.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain
cybersecuritynews.com
Open sourceGitHub Actions workflow compromised to steal CI/CD credentials | brief | SC Media
scworld.com
Open sourcePopular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
thehackernews.com
Open sourceactions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials - StepSecurity
stepsecurity.io
Open sourceThe Trojan PR: Achieving Code Execution in GitHub Actions via Pipeline Poisoning | by Hacker MD | May, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored `tj-actions/changed-files` GitHub Action Leaked CI Secrets from Workflow Logs
The widely used GitHub Action **`tj-actions/changed-files`** was compromised after an attacker gained write access to the repository and retargeted release tags to a malicious orphaned commit, causing workflows pinned to tags rather than immutable SHAs to run attacker-controlled code. The backdoor downloaded and executed a remote payload that scraped decrypted GitHub Actions secrets from process memory and printed them into workflow logs, exposing repositories that executed the action and creating acute risk for public projects where logs were openly accessible. The incident was detected after anomalous outbound network activity was observed, and the maintainer removed the malicious changes soon afterward. Follow-on analysis found the blast radius was substantial because the action was referenced across roughly **23,000 repositories** and many workflows were not pinned to a full commit hash. GitGuardian reported that among workflows executed during the compromise window, hundreds showed signs of exploitation and **603 secrets** were exposed in logs, including temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials. Organizations using the action were urged to review workflow runs from March 14 onward, delete affected logs, rotate any exposed credentials, audit dependencies and commits, and pin third-party GitHub Actions to full commit SHAs to reduce future supply-chain risk.
May 27, 2026
AI-Assisted GitHub Actions Campaign Exploited `pull_request_target` to Steal Secrets
Researchers reported that the `prt-scan` campaign abused misconfigured GitHub Actions workflows using the `pull_request_target` trigger to run attacker-controlled code from forked pull requests in privileged CI contexts. The actor used at least six GitHub accounts to submit more than 500 malicious pull requests across six waves, disguising many as routine CI updates and tailoring payloads to Python, Node.js, Go, Rust, and GitHub Actions repositories. Wiz said the operation evolved from simple bash payloads into AI-assisted, repository-aware implants designed to steal `GITHUB_TOKEN` values, enumerate secrets, probe cloud metadata services, and exfiltrate credentials through workflow logs and pull request comments. The campaign succeeded often enough to cause real supply-chain impact despite an estimated success rate below 10%. Wiz confirmed compromise of the npm packages **`@codfish/eslint-config`** and **`@codfish/actions`** across 106 versions, and verified theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens. High-profile projects including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts reportedly blocked the attempts through contributor approval gates and workflow restrictions. The activity follows earlier warnings from Sysdig that insecure use of `pull_request_target` in prominent repositories such as MITRE, Splunk, and Spotipy could expose secrets and high-privilege `GITHUB_TOKEN` permissions, underscoring that unsafe GitHub Actions defaults remain an active software supply-chain risk.
Jun 8, 2026
GitHub Actions flaws exposed repositories to token leaks and privileged workflow compromise
Researchers and maintainers disclosed multiple GitHub Actions security issues that could let attackers steal credentials or gain code execution in CI/CD pipelines. Sansec and Packagist warned that older Composer releases could print raw `GITHUB_TOKEN` values into GitHub Actions logs after rejecting GitHub’s newer hyphenated token format, creating a supply-chain risk for PHP projects, especially public repositories and older repositories where the default token still had write access. Composer issued fixes in versions `2.9.8`, `2.2.28`, and `1.10.28`, while GitHub rolled back the token format rollout to reduce immediate exposure. Separate disclosures showed how workflow design and cache handling can turn limited CI access into broader repository compromise. A newly assigned `CVE-2026-42603` affects OWASP BLT before `2.1.2`, where a privileged `pull_request_target` workflow checked out and executed code from an attacker-controlled fork, enabling remote code execution with repository write permissions. Earlier research on GitHub Actions cache poisoning described "Actions Cache Blasting," a technique that abuses client-controlled cache keys, cache eviction, and lingering runtime tokens to replace cached artifacts used by more privileged workflows, potentially leading to secret disclosure, release-signing compromise, and tampered build outputs without visible changes in source code or workflow logs.
May 14, 2026