Based on information from The Hacker News, a popular GitHub Actions workflow, actions-cool/issues-helper, has been compromised by threat actors who injected malicious code to harvest sensitive credentials.The attack involves an "imposter commit" strategy where all existing tags in the repository were altered to point to a malicious commit. This commit contains code that, when executed within a GitHub Actions runner, downloads the Bun JavaScript runtime, extracts credentials from the Runner.Worker process, and exfiltrates the data to an attacker-controlled domain, t.m-kosche[.]com. A second GitHub action, actions-cool/maintain-one-comment, was also compromised with similar functionality. GitHub has since disabled access to the affected repositories due to a terms of service violation.The exfiltration domain has previously been observed in the Mini Shai-Hulud campaign, suggesting a potential link between the two activities. Any workflow referencing the compromised action by version is vulnerable, with only those pinned to a specific commit SHA remaining unaffected.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




