VARUN Sharma reports that the popular GitHub Action actions-cool/issues-helper has been compromised, with every existing tag in the repository moved to point to a single imposter commit that does not appear in the action’s normal history. The imposter commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action, and any workflow referencing the action by a version will pull this code on the next run, unless workflows are pinned to a known-good full commit SHA.
The compromise involved an attacker gaining the ability to move tags within the repository, and all tags were redirected to the imposter commit that is not reachable from the action’s default branch history. StepSecurity outlines three protections in response: a Compromised Actions Policy that blocks runs referencing this action, a Harden-Runner global block list that blocks the exfiltration domain, and an Imposter Commit Detection mechanism that flags workflows using a commit SHA or moved tag to an imposter. The advisory is dated 18 May 2026.