actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials

This is an initial advisory. The StepSecurity Threat Intelligence team is continuing to investigate the compromise including the full malicious payload, the exact list of moved tags, and the attacker's infrastructure

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a imposter commits that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.

Because every tag now resolves to malicious commits, any workflow that references the action by version pulls the malicious code on its next run. Only workflows pinned to a known-good full commit SHA are unaffected.

What Happened

• An attacker gained the ability to move tags in the actions-cool/issues-helper repository.
• All tags were re-pointed to a imposter commits - a commit that is not reachable from the action's default branch history.
• That imposter commit contains malicious code that, when executed inside a GitHub Actions runner:
  • Downloads the bun JavaScript runtime to the runner.
  • Reads memory from the Runner.Worker process — the process that holds the workflow's decrypted secrets — to harvest credentials.
  • Makes an outbound HTTPS call to an attacker-controlled domain to exfiltrate the stolen data.

How StepSecurity Is Protecting Customers

1. Compromised Actions Policy — Blocks the Run

StepSecurity has added actions-cool/issues-helper to its Compromised Actions Policy. For any enterprise customer with this policy enabled, any workflow run that references this action will be blocked before it executes, preventing the malicious code from ever running in the customer's CI/CD environment.

2. Harden-Runner Global Block List — Blocks the Exfiltration

StepSecurity has added the attacker's exfiltration domain to the Harden-Runner global block list. Any workflow protected by Harden-Runner will automatically block outbound connections to this domain - even in audit mode, and without any per-workflow configuration. This gives customers defense-in-depth: even if a compromised action somehow runs, the credentials cannot leave the runner.

3. Imposter Commit Detection

StepSecurity's Action-Uses-Imposter-Commit detection flags any workflow that references a GitHub Action via a commit SHA (or via a tag that has been moved to a commit SHA) which does not match any legitimate tag or branch head of that action's repository - exactly the signature of this attack.

‍