How the Compromise Works
A widely used GitHub Action called actions-cool/issues-helper has been compromised in a sophisticated supply chain attack. Researchers at StepSecurity discovered that an attacker gained control over the repository’s tag management system and silently redirected all 53 version tags to a single malicious commit. This commit does not appear anywhere in the repository’s normal code history, meaning any team referencing the action by a version tag will unknowingly execute the harmful code the next time their CI/CD pipeline runs. Only workflows pinned to a specific known good commit hash remain safe from this attack.
The malicious payload leverages the open source Bun JavaScript runtime to read directly from the memory of the Runner.Worker process inside GitHub’s pipeline infrastructure. This process holds decrypted workflow secrets during a job run, making it a prime target for credential theft. A second action from the same organization, actions-cool/maintain-one-comment, was compromised using the same technique, with all 15 of its version tags redirected to imposter commits.
Impact and Scope
The attack was executed with remarkable speed. All 53 imposter commits for issues-helper were created within a window of just three minutes and sixteen seconds, while the 15 tags for maintain-one-comment were remapped in under forty seconds. Stolen credentials are being exfiltrated to an attacker controlled domain. This incident follows a growing pattern of supply chain attacks targeting developer tooling, where adversaries seek high leverage entry points that can compromise many organizations through a single poisoned dependency. CI/CD pipelines have become a favored target because they often hold powerful credentials for cloud services, code repositories, and deployment systems.
Source: Cyber Security News
