Ethical Hacking News
A recent vulnerability in GitHub Actions workflow has exposed sensitive credentials from CI/CD pipelines to malicious actors. To stay ahead of emerging threats, developers and security teams must prioritize the use of reputable dependencies, keep software up-to-date, and implement robust monitoring and testing protocols.
Cybersecurity experts have identified a critical vulnerability in the GitHub Actions workflow "actions-cool/issues-helper" which has been exploited by malicious actors. Threat actors have compromised the repository, injecting malicious code into an imposter commit to bypass standard Pull Request reviews and achieve arbitrary code execution. The malicious code downloads the Bun JavaScript runtime, reads memory from a GitHub Actions runner, and makes an outbound HTTPS call to transmit stolen data. Multiple tags associated with another GitHub action have also been compromised, posing a significant risk to organizations that rely on these workflows. Developers and security teams must prioritize the use of reputable dependencies, keep software up-to-date, and implement robust monitoring and testing protocols to detect vulnerabilities before they can be exploited.
Cybersecurity experts have sounded the alarm on a critical vulnerability in the popular GitHub Actions workflow, actions-cool/issues-helper, which has been exploited by malicious actors to harvest sensitive credentials and exfiltrate them to attacker-controlled servers. The breach has left many organizations scrambling to secure their CI/CD pipelines and prevent further attacks.
According to recent reports, threat actors have compromised the actions-cool/issues-helper repository on GitHub, injecting malicious code into an imposter commit that does not appear in the normal commit history of the action. This deceptive software supply chain attack strategy allows attackers to bypass standard Pull Request (PR) reviews and achieve arbitrary code execution, compromising the security of CI/CD pipelines.
In a statement released by StepSecurity, researchers revealed that the malicious code contained in the imposter commit performs a series of actions upon being executed within a GitHub Actions runner. These actions include:
* Downloading the Bun JavaScript runtime to the runner
* Reading memory from the Runner.Worker process to extract credentials
* Making an outbound HTTPS call to an attacker-controlled domain ("t.m-kosche[.]com") to transmit the stolen data
The vulnerability is particularly concerning because it affects multiple tags associated with a second GitHub action, "actions-cool/maintain-one-comment", which have also been compromised with the same functionality. This means that any workflow referencing the action by version pulls the malicious code on its next run, posing a significant risk to organizations that rely on these workflows.
The domain "t.m-kosche[.]com" has been observed in recent attacks targeting npm packages from the @antv ecosystem, suggesting a possible connection between the two clusters of activity. However, it is not yet clear what led GitHub to disable access to the repository due to a violation of their terms of service.
Fortunately, StepSecurity pointed out that only workflows pinned to a known-good full commit SHA are unaffected by this vulnerability, providing some relief to organizations that have taken steps to secure their pipelines. Nevertheless, the incident highlights the need for vigilance in monitoring and securing CI/CD pipelines against emerging threats.
To mitigate the risk of similar attacks in the future, developers and security teams must prioritize the use of reputable dependencies, keep software up-to-date, and implement robust monitoring and testing protocols to detect vulnerabilities before they can be exploited. By taking proactive steps to address this vulnerability, organizations can minimize their exposure to potential attacks and ensure the continued integrity of their CI/CD pipelines.
Summary:
A critical vulnerability in GitHub Actions workflow has been discovered, allowing malicious actors to harvest sensitive credentials from CI/CD pipelines. The breach was caused by a software supply chain attack that compromised a repository on GitHub, injecting malicious code into an imposter commit. Organizations that use affected workflows are advised to take immediate action to secure their pipelines and prevent further attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Vulnerability-in-GitHub-Actions-Workflow-Exposes-CICD-Credentials-to-Malicious-Actors-ehn.shtml
https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html
Published: Tue May 19 02:28:35 2026 by llama3.2 3B Q4_K_M
