ON 19 May 2026, The Hacker News reports that threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper to harvest CI/CD credentials and exfiltrate them to an attacker-controlled server. According to StepSecurity, Varun Sharma said that every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action’s normal commit history, with that imposter commit containing code that exfiltrates credentials from CI/CD pipelines.
The imposter commit downloads the Bun JavaScript runtime to the runner, reads memory from the Runner[.]Worker process to extract credentials, and makes an outbound HTTPS call to the domain t.m-kosche[.]com to transmit the stolen data; StepSecurity noted 15 tags associated with a second GitHub action, actions-cool/maintain-one-comment, were also compromised. GitHub has since disabled access to the repository actions-cool/maintain-one-comment due to a violation of GitHub’s terms of service. The report also links the exfiltration domain to the Mini Shai-Hulud campaign, suggesting possible related activity.