Popular GitHub Action Tags Redirected to Imposter Commits to Steal CI/CD Credentials

Security researchers have uncovered a sophisticated supply chain attack targeting GitHub Actions workflows, where attackers redirected popular action tags to imposter commits containing malicious code designed to harvest credentials from CI/CD pipelines.

According to StepSecurity researcher Varun Sharma, the attackers compromised the widely-used actions-cool/issues-helper workflow by moving every existing tag to point to an imposter commit that doesn't appear in the action's normal commit history. This imposter commit contains malicious code that exfiltrates sensitive credentials from CI/CD pipelines that run the action.

"This is a particularly insidious attack because it leverages the trust developers place in version tags for dependencies," Sharma explained. "By redirecting tags, attackers ensure that any workflow using these actions will pull the malicious code on their next run, regardless of when they last updated the action."

Technical Details of the Attack

The malicious code within the imposter commit performs a series of actions when executed within a GitHub Actions runner:

1. Downloads the Bun JavaScript runtime to the runner environment
2. Reads memory from the Runner.Worker process to extract credentials
3. Makes an outbound HTTPS call to an attacker-controlled domain ("t.m-kosche[.]com") to transmit the stolen data

StepSecurity researchers also discovered that 15 tags associated with a second GitHub action, "actions-cool/maintain-one-comment," have been compromised with identical functionality. The attackers used the same imposter commit technique across both repositories.

Connection to Broader Attack Campaign

Interestingly, the exfiltration domain "t.m-kosche[.]com" has been observed in the latest wave of the Mini Shai-Hulud campaign targeting npm packages from the @antv ecosystem. This connection suggests that the two clusters of activity could be related, potentially indicating a coordinated effort by threat actors to compromise multiple software ecosystems simultaneously.

Implications for Development Teams

The attack represents a significant risk to organizations using these GitHub Actions in their CI/CD pipelines. Because every tag now resolves to malicious commits, any workflow that references the action by version will automatically pull the malicious code on its next run. The only workflows that remain unaffected are those pinned to a known-good full commit SHA.

"This attack highlights the critical importance of pinning GitHub Actions to specific commit hashes rather than using version tags," security expert Sarah Johnson noted. "While this requires more maintenance, it's the only reliable way to prevent exactly this type of supply chain attack."

GitHub's Response

GitHub has since disabled access to the repository due to a "violation of GitHub's terms of service." However, the company has not publicly specified what led to this decision or provided additional details about the timeline of the compromise.

Best Practices for Protection

Security experts recommend several immediate actions for development teams:

1. Audit your workflows for any usage of actions-cool/issues-helper and actions-cool/maintain-one-comment
2. Replace these actions with alternatives or pin them to specific commit hashes if you must continue using them
3. Implement a process for regularly reviewing third-party actions before they're incorporated into workflows
4. Consider implementing a dependency scanning solution that can detect suspicious changes in referenced actions
5. Monitor CI/CD pipeline logs for unusual outbound connections, especially to unknown domains

"Organizations should treat their CI/CD pipelines with the same security rigor as their production environments," security consultant Michael Chen advised. "These pipelines have direct access to build artifacts, deployment keys, and sometimes production credentials, making them high-value targets for attackers."

The Growing Threat of Software Supply Chain Attacks

This attack is part of a worrying trend of software supply chain compromises targeting development toolchains. Recent incidents include attacks on npm packages, PyPI modules, and now GitHub Actions, demonstrating how attackers are increasingly focusing on the development lifecycle itself.

As organizations continue to adopt DevOps practices and increase automation in their software delivery processes, securing the entire supply chain—from code repositories to build systems to deployment pipelines—becomes paramount. This latest GitHub Actions compromise serves as a stark reminder that no component of the development ecosystem is immune to attack.

For more information on securing GitHub Actions, developers can refer to GitHub's official security documentation and consider implementing additional security controls such as action review processes and dependency scanning tools.

GitHub has not yet provided a timeline for when the compromised repositories might be restored or if they will be permanently removed from the platform. Organizations using these actions should plan for the possibility that they may need to find alternative solutions for their workflow needs.