Imposter commits: tags redirected to adversary-controlled code
StepSecurity describes the attack as a classic supply chain deception: attackers replaced existing tags in a widely used GitHub Actions workflow so that each tag now resolves to an "imposter commit" that does not appear in the action's normal commit history. The technique works by referencing a commit or tag that exists only in an adversary-controlled fork, allowing malicious code to be pulled without undergoing the original project's pull request reviews. The firm warns this mechanism enables arbitrary code execution when the tampered action is invoked by CI/CD workflows.
Malicious payload: Bun runtime, Runner.Worker memory read, and exfiltration
According to StepSecurity, the imposter commit contains code that performs three specific actions once executed inside a GitHub Actions runner. First, it downloads the Bun JavaScript runtime to the runner. Second, it reads memory from the Runner.Worker process to extract credentials. Third, it makes an outbound HTTPS call to an attacker-controlled domain, "t.m-kosche[.]com," to transmit the harvested data. StepSecurity’s description frames these behaviors as an integrated chain intended to harvest and exfiltrate CI/CD credentials when the compromised action runs.
Compromised repositories: actions-cool/issues-helper and actions-cool/maintain-one-comment
StepSecurity reported the primary compromise affected the popular GitHub Actions workflow "actions-cool/issues-helper." The firm also found 15 tags associated with a second action, "actions-cool/maintain-one-comment," that were compromised with the same malicious functionality. Because the tags for those actions now resolve to the imposter commits, any workflow that references the action by version — rather than pinning to a full commit SHA — will pull the malicious code on its next run. StepSecurity notes that only workflows pinned to a known-good full commit SHA are unaffected.
GitHub's response: repository access disabled
GitHub has since disabled access to the repository due to a "violation of GitHub's terms of service." StepSecurity reports it is "currently not known what led the Microsoft-owned subsidiary to this decision." The repository takedown prevents additional pulls of the tampered tags from that location, but does not retroactively protect workflows that already executed and may have exposed credentials prior to the access suspension.
Overlap with Mini Shai-Hulud activity observed against @antv npm packages
StepSecurity highlighted a notable linkage: the exfiltration domain "t.m-kosche[.]com" has been observed in the latest wave of the Mini Shai-Hulud campaign, which targeted npm packages from the @antv ecosystem. The reuse of the same domain suggests the two clusters of activity — the npm-targeting campaign and the GitHub Actions tag redirection — could be related, according to the firm’s reporting.
What this means for technologists and open-source maintainers
- Technologists and security teams: Workflows that reference actions by version (for example, by using a tag rather than a full commit SHA) are at elevated risk because tags redirected to imposter commits will cause a malicious payload to be pulled on the next run. Teams will likely need to audit workflows for pinning practices and investigate any recent runs of affected actions for signs of credential exfiltration.
- Open-source maintainers and CI users: The compromise of 15 tags in "actions-cool/maintain-one-comment" in addition to the issues-helper action underscores a risk to projects that depend on third-party actions. Maintainers will need to review consumption of these actions, consider pinning to known-good commit SHAs, and coordinate any remediation steps for downstream users who may have executed the actions.
StepSecurity’s findings describe a supply chain attack that leverages tag redirects and imposter commits to bypass review gates and execute a payload that aims squarely at CI/CD credentials — an attractive target for adversaries. The use of a domain previously tied to Mini Shai-Hulud activity raises the possibility of a broader campaign crossing package registries and GitHub Actions. GitHub's removal of access halts further pulls from the repository, but the central questions left open by the reporting are concrete: which workflows already executed the malicious commits, what credentials were exposed, and whether investigations into the link with the Mini Shai-Hulud infrastructure will produce attribution or further mitigation steps.
Original reporting: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html




