Bottom line: Popular GitHub Actions have been hacked and redirected to malicious code versions. The malware steals CI/CD login credentials and sends them to attackers. The attack appears to be connected to the Mini-Shai-Hulud campaign targeting npm packages.
Cybercriminals have manipulated popular GitHub Actions workflows through so-called imposter commits and are now redirecting users to malicious code versions. The attack aims to steal sensitive login credentials from CI/CD pipelines and transmit them to attacker servers.
The GitHub Actions “actions-cool/issues-helper” and “actions-cool/maintain-one-comment” fell victim to a sophisticated software supply chain attack. According to security researcher Varun Sharma of StepSecurity, all existing tags in the repository were redirected to a fraudulent commit that does not appear in the project’s normal commit history.
The attack mechanism works as follows: The manipulated commit contains malicious code that becomes active when executed in GitHub Actions environments. The malware first downloads the Bun JavaScript runtime, then reads the memory contents of the Runner.Worker process to extract login credentials, and finally sends them to the attacker domain “t.m-kosche[.]com”.
An imposter commit is an attack technique in which attackers inject malicious code by referencing a commit that exists only in their fork – thereby bypassing standard code reviews.
GitHub disabled the repository due to “violation of the terms of service”. Particularly noteworthy is the connection to the current Mini-Shai-Hulud campaign targeting npm packages from the @antv ecosystem: the same exfiltration domain suggests that both attack clusters are related. Threat intelligence lead Philipp Burckhardt of Socket confirms this connection.
Particularly critical: All workflows that reference the affected actions by version number will automatically load the malicious code on their next run. Only workflows with a pinned commit SHA are safe.