actions-cool GitHub Actions Tag Hijack Credential Theft

GitHub Action tags for actions-cool/issues-helper and actions-cool/maintain-one-comment were moved to imposter commits that scraped GitHub Actions runner memory and exfiltrated CI/CD secrets.

Date:: 2026-05-24
Severity:: critical
Sources:: 1

#supply-chain#github-actions#ci-cd#credential-theft#tag-hijack

Executive Summary

StepSecurity reported that actions-cool/issues-helper and actions-cool/maintain-one-comment had all reviewed tags moved to imposter commits on 2026-05-18. Workflows referencing those tags could execute attacker-controlled action code while the workflow file still appeared to use a familiar third-party action StepSecurity.

The payload used Bun/JavaScript and Python to inspect the GitHub Actions Runner.Worker process memory, extract decrypted secrets, and exfiltrate them to t[.]m-kosche[.]com. Any repository that ran affected action tags during the exposure window should rotate GitHub, cloud, package-registry, deployment, and OIDC-related credentials reachable by those workflows StepSecurity.

Key Facts

threat_type: "GitHub Action tag hijack and CI credential theft"
ecosystem: "GitHub Actions"
registry: "GitHub repositories and action tags"
affected_packages:
  - "actions-cool/issues-helper"
  - "actions-cool/maintain-one-comment"
malicious_versions:
  - "actions-cool/issues-helper 53 affected tags reported by StepSecurity"
  - "actions-cool/maintain-one-comment 15 affected tags reported by StepSecurity"
known_good_versions:
  - "verified pre-compromise commit SHAs"
fixed_or_safe_versions:
  - "pin to verified full commit SHA or remove action until maintainer cleanup is confirmed"
execution_trigger: "GitHub Actions workflow referencing a hijacked action tag"
primary_impact: "GitHub Actions secret theft from runner process memory"
campaign_context: "Part of the May 2026 wave targeting CI/CD trust anchors and mutable tags."
confidence: "high"
canonical_source: "https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials"
last_verified: "2026-05-24"

Source Confidence & Evidence Mapping

confirmed: StepSecurity reports 53 actions-cool/issues-helper tags and 15 actions-cool/maintain-one-comment tags pointing to imposter commits StepSecurity.
confirmed: The imposter commits were not reachable from the default branch, making tag target reachability a useful detection signal StepSecurity.
confirmed: The payload attempted to read Runner.Worker memory and exfiltrate secrets to t[.]m-kosche[.]com StepSecurity.
unclear: Public reporting does not establish which downstream organizations had successful secret exfiltration.

Attack Execution Flow

sequenceDiagram
    autonumber
    actor Attacker
    participant ActionRepo as actions-cool Repositories
    participant Workflow as Victim Workflow
    participant Runner as GitHub Actions Runner
    participant C2 as Exfiltration Domain

    Attacker->>ActionRepo: Move release tags to imposter commits
    Workflow->>ActionRepo: Resolve action by mutable tag
    ActionRepo->>Runner: Serve malicious action code
    Runner->>Runner: Payload reads Runner.Worker memory
    Runner->>C2: Exfiltrate decrypted workflow secrets

Timeline

2026-05-18T19:10:24Z StepSecurity reports the actions-cool/issues-helper imposter-commit window beginning; affected tags were moved within minutes StepSecurity.
2026-05-18T19:30:30Z StepSecurity reports the actions-cool/maintain-one-comment imposter-commit window beginning StepSecurity.
2026-05-19 StepSecurity publishes the public technical report StepSecurity.
2026-05-24 This local feed split creates a standalone actions-cool article instead of grouping it into a weekly roundup.

What Happened

The attacker moved GitHub Action tags to imposter commits. Workflows using tag references such as @vX or other mutable tags could execute malicious action code without changing the victim repository’s workflow file. This is the same class of trust failure as package tag rewrites, but the execution environment is CI/CD.

StepSecurity’s analysis showed that the imposter action code tried to scrape secrets from the runner process itself. That is significant because GitHub Actions masks secrets in logs, but the runner must still hold usable values in memory while jobs execute.

Technical Analysis

Initial Access

The public report proves tag movement and imposter commits but does not establish the exact credential or account takeover path that allowed tag manipulation.

Package or Artifact Tampering

The tampered artifacts were Git refs: all reported action tags pointed to commits that were not part of the legitimate default-branch history. Defenders should compare action tag targets against known-good commit SHAs and default-branch reachability StepSecurity.

Execution Trigger

Execution occurs when a GitHub Actions workflow uses the affected action by tag. No package install is required beyond normal action resolution.

Payload Behavior

The payload used Bun/JavaScript and Python to identify the Runner.Worker process and read process memory. It searched for secret material available to the job and prepared it for exfiltration StepSecurity.

Exfiltration / C2

The reported exfiltration domain is t[.]m-kosche[.]com. Any outbound traffic from GitHub Actions runners to this domain during affected workflow runs should be treated as a credential-loss event.

Propagation

No autonomous propagation is reported. The blast radius is every repository and workflow that referenced the hijacked tags during the compromise window.

Obfuscation or Evasion

The primary evasion is trust indirection. The workflow file still names the expected action, but the tag target changed underneath it. The malicious commits not being reachable from the default branch provides a strong detection heuristic.

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Observed Behavior
Initial Access	T1195.002	Compromise Software Supply Chain	Mutable action tags resolved to attacker-controlled commits.
Execution	T1059	Command and Scripting Interpreter	Bun/JavaScript and Python executed on GitHub Actions runners.
Credential Access	T1003	OS Credential Dumping	Payload read `Runner.Worker` process memory for decrypted secrets.
Exfiltration	T1041	Exfiltration Over C2 Channel	Secrets were sent to attacker infrastructure.
Defense Evasion	T1036	Masquerading	Malicious code was hidden behind familiar action tag names.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "GitHub Actions"
  packages:
    - "actions-cool/issues-helper"
    - "actions-cool/maintain-one-comment"
  versions:
    - "53 issues-helper tags reported by StepSecurity"
    - "15 maintain-one-comment tags reported by StepSecurity"
  repositories:
    - "actions-cool/issues-helper"
    - "actions-cool/maintain-one-comment"
  ci_cd_systems:
    - "GitHub Actions"
  container_images: []
  developer_tools:
    - "GitHub Actions workflows"
credentials_at_risk:
  - "GitHub Actions secrets"
  - "GitHub tokens"
  - "OIDC tokens"
  - "cloud credentials"
  - "package registry credentials"
  - "deployment credentials"
not_currently_known_to_affect:
  - "Workflows pinned to verified full commit SHAs outside the imposter commits."

Indicators of Compromise

package_versions:
  - "actions-cool/issues-helper affected tags"
  - "actions-cool/maintain-one-comment affected tags"
files:
  - ".github/workflows/*.yml"
hashes:
  - "8064d4e0322f069b3dba13e7957ff0ca7dab7984"
  - "6e79ae622b7ef30f31fdbcc2dc65339e"
domains:
  - "t[.]m-kosche[.]com"
urls: []
ips: []
process_patterns:
  - "python3 reading /proc/<Runner.Worker PID>/mem"
  - "bun executing unexpected action code"
network_patterns:
  - "POST or HTTPS traffic from GitHub Actions runner to t[.]m-kosche[.]com"
provenance_signals:
  - "GitHub Action tag target not reachable from default branch"
  - "actions-cool tag target changed around 2026-05-18T19:10:24Z or 2026-05-18T19:30:30Z"

Detection and Hunting

lockfiles: []
filesystem:
  - "Search workflow files for actions-cool/issues-helper and actions-cool/maintain-one-comment."
process:
  - "Alert on python3 reading /proc/*/mem on GitHub Actions runners."
  - "Alert on unexpected Bun execution from third-party action code."
network:
  - "Search runner egress logs for t[.]m-kosche[.]com."
github_audit:
  - "Enumerate workflow runs using affected actions during 2026-05-18 through cleanup."
  - "Compare action tag targets against default-branch reachability."
ci_cd:
  - "Identify runs where affected actions had access to high-value secrets or OIDC permissions."
registry:
  - "Block actions-cool actions by tag until known-good full SHAs are pinned."
sigma_candidates:
  - "Linux Process Access: Python Reads GitHub Actions Runner.Worker Memory"
yara_candidates:
  - "Action JavaScript referencing Runner.Worker memory and t.m-kosche.com"

Remediation Workflow

Immediate: Disable workflows using affected actions, preserve logs, block t[.]m-kosche[.]com, and rotate all secrets available to affected workflow runs.
Short-term: Replace action tags with verified full commit SHAs or alternate maintained actions, audit workflow permissions, and review whether OIDC tokens or deployment credentials were available during affected runs.
Long-term: Enforce SHA pinning for third-party actions, detect action tag target drift, restrict runner egress, and apply least-privilege job permissions by default.

Defensive Lessons

prevent: Third-party actions should be pinned to full SHAs, not mutable tags.
detect: Tag reachability checks catch action commits that are disconnected from default branch history.
respond: A malicious CI action is a credential incident even if application source code was unchanged.

Open Questions

Which organizations had successful secret exfiltration?
What exact initial access path allowed tag movement?
Which affected tags have been restored to known-good commits?

Sources

StepSecurity: actions-cool/issues-helper GitHub Action Compromised - Role: PRIMARY_RESEARCH - Impact: Documents affected actions, tag hijack timing, imposter commits, runner memory scraping, exfiltration domain, and detections.

Machine-Readable Event Profile

{
  "schema_version": "2.0",
  "event_id": "actions-cool-github-actions-tag-hijack-2026-05-18",
  "event_name": "actions-cool GitHub Actions Tag Hijack Credential Theft",
  "publication_state": "publish_ready",
  "confidence": "high",
  "attack_types": ["GitHub Action tag hijack", "CI/CD credential theft", "runner memory scraping"],
  "sources": {
    "direct": [],
    "primary_research": ["https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials"],
    "correlated": []
  },
  "affected_assets": {
    "ecosystems": ["GitHub Actions"],
    "packages": ["actions-cool/issues-helper", "actions-cool/maintain-one-comment"],
    "versions": ["53 issues-helper tags", "15 maintain-one-comment tags"],
    "repositories": ["actions-cool/issues-helper", "actions-cool/maintain-one-comment"],
    "ci_cd_systems": ["GitHub Actions"],
    "container_images": [],
    "developer_tools": ["GitHub Actions workflows"],
    "credentials_at_risk": ["GitHub Actions secrets", "GitHub tokens", "OIDC tokens", "cloud credentials", "package registry credentials", "deployment credentials"]
  },
  "timeline": {
    "first_seen": "2026-05-18T19:10:24Z",
    "malicious_publish_time": "2026-05-18T19:10:24Z/2026-05-18T19:31:09Z",
    "discovery_time": "2026-05-19",
    "removal_time": "unknown",
    "disclosure_time": "2026-05-19",
    "patch_or_fix_time": "unknown"
  },
  "artifact_analysis": {
    "malicious_artifacts": ["imposter action commits", "malicious action JavaScript/Python"],
    "execution_trigger": "workflow references hijacked action tag",
    "payload_behavior": ["Runner.Worker memory scraping", "secret extraction", "HTTPS exfiltration"]
  },
  "iocs": {
    "package_versions": ["actions-cool/issues-helper tags", "actions-cool/maintain-one-comment tags"],
    "files": [".github/workflows/*.yml"],
    "hashes": ["8064d4e0322f069b3dba13e7957ff0ca7dab7984", "6e79ae622b7ef30f31fdbcc2dc65339e"],
    "domains": ["t.m-kosche.com"],
    "urls": [],
    "ips": [],
    "process_patterns": ["python3 reading /proc/<Runner.Worker PID>/mem", "bun executing unexpected action code"],
    "network_patterns": ["HTTPS to t.m-kosche.com"]
  },
  "detection": {
    "lockfile_hunts": [],
    "filesystem_hunts": ["workflow references to actions-cool/issues-helper or actions-cool/maintain-one-comment"],
    "process_hunts": ["python3 /proc/*/mem reads", "unexpected bun execution"],
    "network_hunts": ["t.m-kosche.com"],
    "ci_cd_hunts": ["affected action runs during compromise window"],
    "registry_hunts": ["action tags not reachable from default branch"]
  },
  "open_questions": ["victim exfiltration count", "initial access path", "complete cleanup status"],
  "defender_takeaways": {
    "detection": "Compare action tag targets with default branch reachability and runner telemetry.",
    "hunting": "Find all workflows using affected actions by tag.",
    "remediation": "Rotate secrets for exposed runs and pin actions to full SHAs.",
    "prevention": "Enforce third-party action SHA pinning and least-privilege workflow permissions."
  }
}