Cybersecurity Desk: A new software supply chain attack has been uncovered targeting widely used GitHub Actions workflows, where attackers reportedly manipulated repository tags to redirect them to malicious commits capable of stealing CI/CD credentials from development pipelines.
Security researchers warn that the incident highlights a growing risk in modern DevOps ecosystems, where compromised workflow dependencies can silently expose sensitive infrastructure secrets.
Malicious Code Injected Through Tag Manipulation
According to cybersecurity researchers at StepSecurity, attackers compromised the GitHub Actions repository actions-cool/issues-helper and modified all existing tags to point to a hidden “imposter commit.”
This commit, which does not appear in the project’s normal history, contains malicious code designed to extract sensitive credentials from continuous integration and deployment (CI/CD) environments.
The attack technique allows threat actors to bypass standard code review processes by redirecting trusted version tags to attacker-controlled code.
How the “Imposter Commit” Attack Works
Security analysts describe the method as a sophisticated supply chain manipulation tactic where a tag or version reference is silently redirected to an unauthorized commit.
Once executed within a GitHub Actions runner, the malicious script performs several actions:
- Downloads the Bun JavaScript runtime environment
- Extracts credentials from the Runner.Worker memory process
- Sends stolen data to an external attacker-controlled server via HTTPS
The exfiltration domain identified in the attack has also been linked to other malware campaigns, suggesting possible coordination between multiple threat clusters.
Additional GitHub Actions Also Affected
Researchers further revealed that a second workflow, actions-cool/maintain-one-comment, was also compromised using the same technique. Multiple tags in that repository were similarly redirected to malicious commits.
Following the discovery, access to the affected repositories was disabled by GitHub due to violations of platform security policies.
However, investigators have not yet confirmed how the initial compromise occurred or who is responsible for the attack.
Supply Chain Risk in CI/CD Pipelines
Security experts warn that the attack demonstrates a critical vulnerability in modern DevOps pipelines, where third-party automation tools and actions are widely trusted and reused.
Once a malicious tag is introduced, any workflow referencing that version can automatically execute compromised code during build or deployment processes.
Researchers emphasize that only workflows pinned to specific commit hashes (rather than mutable tags) are protected from this type of manipulation.
Possible Links to Broader Malware Campaigns
Analysts noted that the infrastructure used for data exfiltration overlaps with domains previously observed in other malware operations, including campaigns targeting open-source package ecosystems.
This suggests the possibility that the GitHub Actions compromise may be part of a broader supply chain attack strategy aimed at developers and enterprise CI/CD systems.
Security Recommendations for Developers
Cybersecurity professionals are urging development teams to immediately review their GitHub Actions dependencies and adopt stricter security practices, including:
- Pinning actions to full commit SHAs instead of tags
- Regularly auditing third-party workflow dependencies
- Restricting secrets exposure in CI/CD environments
- Monitoring outbound network traffic from build runners
Experts also recommend treating all third-party automation tools as potential attack vectors rather than fully trusted components.
Growing Threat to Software Development Ecosystems
The incident underscores the increasing sophistication of supply chain attacks targeting developers rather than end users. By compromising build systems and automation workflows, attackers can potentially gain access to production secrets, cloud credentials, and internal infrastructure.
Security researchers warn that such attacks are likely to become more frequent as open-source dependency ecosystems continue to expand.
