GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

2026-05-19

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

GitHub Actions supply chain attack compromised popular workflow actions by redirecting all tags to malicious commits containing credential-stealing code.

•The attack involved two GitHub Actions: actions-cool/issues-helper and actions-cool/maintain-one-comment
•Malicious code downloads Bun runtime, extracts credentials from Runner.Worker process memory, and exfiltrates data to attacker-controlled domain t.m-kosche[.]com
•Attack uses imposter commit strategy, injecting code into attacker-controlled fork to bypass PR reviews
•Workflows referencing actions by version tag are vulnerable; only workflows pinned to full commit SHA remain unaffected
•GitHub disabled repository access due to terms of service violation

This summary was automatically generated by AI based on the original article and may not be fully accurate.

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Cloud CISO Perspectives: How to build an AI-ready security program for the public sector

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks