Attackers compromised two widely used GitHub Actions workflows — actions-cool/issues-helper and actions-cool/maintain-one-comment — by redirecting all repository version tags to a malicious “imposter commit” that does not appear in the normal commit history. Any CI/CD pipeline that referenced either workflow by version tag automatically pulled and executed the malicious code, which extracted credentials from runner memory and exfiltrated them to an attacker-controlled server. StepSecurity researcher Varun Sharma identified the compromise, and GitHub subsequently disabled the maintain-one-comment repository for terms of service violations.
How the Imposter Commit Technique Made Malicious Code Invisible to Code Reviewers
The attack did not require a visible pull request or commit to either repository’s standard history. Instead, attackers redirected all existing version tags — the references that downstream workflows use to pin to a specific release — to a malicious commit that was not visible through normal PR review or commit log inspection. Any organization reviewing the actions-cool repository for suspicious code changes would not find the malicious commit through standard browsing.
This technique exploits the trust that GitHub Actions workflows place in version tags. When a workflow file specifies uses: actions-cool/issues-helper@v3, it fetches whatever commit the v3 tag currently points to — and the attacker’s tag redirection meant every existing tag pointed to the malicious payload.
Credential Extraction via Bun Runtime and Runner.Worker Process Memory
The malicious code executed a three-step credential theft sequence on affected CI/CD runners. First, it downloaded the Bun JavaScript runtime to the Actions runner environment. Second, it used Bun to read memory from the Runner.Worker process — the GitHub Actions component that holds in-memory credentials, tokens, and secrets during pipeline execution. Third, it exfiltrated the extracted credentials via HTTPS to the attacker-controlled domain t.m-kosche[.]com.
The full scope of affected tags across both repositories was not disclosed at time of reporting.
SHA-Pinned Workflows Were the Only Ones Unaffected
Workflows that referenced the actions-cool repositories by specific commit SHA hash rather than by version tag were not affected. A SHA pin specifies the exact commit to fetch — it cannot be silently redirected by manipulating a tag. Workflows using version tags such as @v3 or @latest had no protection against the redirection.
The distinction between tag-based and SHA-pinned GitHub Actions references has been a recurring security guidance point for CI/CD pipeline hardening. This incident demonstrates the operational consequence of that distinction: tag-based workflows at scale became active credential theft vectors while SHA-pinned equivalents were unaffected.
The t.m-kosche[.]com Domain and a Link to the Mini Shai-Hulud npm Campaign
The exfiltration domain t.m-kosche[.]com used in the actions-cool attack was also linked to the Shai-Hulud npm campaign reported separately on May 18–19, 2026. The shared infrastructure suggests either that the same threat actor was responsible for both the npm campaign and the GitHub Actions compromise, or that the domain was part of shared criminal infrastructure used across multiple simultaneous campaigns.
The connection between the actions-cool compromise and the Shai-Hulud npm campaign indicates a coordinated or overlapping effort targeting developer credentials across multiple supply chain vectors during the same period: malicious packages in the npm registry, hijacked maintainer accounts in the @antv ecosystem, and compromised GitHub Actions tags — all simultaneously directing stolen credentials toward the same attacker-controlled infrastructure.
GitHub has disabled the maintain-one-comment repository. Affected organizations are advised to audit CI/CD pipeline logs for evidence of execution of either compromised workflow and treat any secrets that ran through those pipelines as potentially compromised.
