Imposter commits hijack GitHub Actions tags to steal credentials

Attackers redirected tags in the popular GitHub Actions workflows actions-cool/issues-helper and actions-cool/maintain-one-comment to imposter commits that run malicious code and harvest CI/CD credentials. Varun Sharma, a researcher at StepSecurity, reported that every tag in the issues-helper repository was repointed to a commit not present in the action’s normal history.

The imposter commit downloads the Bun JavaScript runtime into a runner, reads memory from the Runner.Worker process to extract credentials, and sends the collected data over HTTPS to an attacker-controlled domain, t.m-kosche[.]com. StepSecurity reported that 15 tags in the maintain-one-comment action were altered with the same malicious code.

The attackers used a technique where tags or version references are repointed to a commit that exists only in a fork controlled by the adversary. By changing tag targets, the actors bypass standard pull request reviews and cause any workflow that pulls the action by tag or version to execute the attacker-controlled code. StepSecurity warned that only workflows pinned to a full commit SHA remain unaffected.

GitHub disabled access to the compromised repository, citing a violation of the platform’s terms of service. It is not publicly known what triggered the suspension or how long tags pointed to the malicious commits before detection.

The exfiltration domain t.m-kosche[.]com has been observed in recent attacks that targeted npm packages in the @antv ecosystem, a pattern that investigators say could indicate related activity, but no direct link has been confirmed. Security teams and vendors are investigating the scope of affected workflows and any downstream exposure of tokens or other secrets resulting from the compromised actions.