{ "title": "actions-cool GitHub Actions Tag Hijack Credential Theft", "summary": "GitHub Action tags for actions-cool/issues-helper and actions-cool/maintain-one-comment were moved to imposter commits that scraped GitHub Actions runner memory and exfiltrated CI/CD secrets. StepSecurity's incident center now preserves the two-action scope and shared C2 linkage.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "github-actions", "ci-cd", "credential-theft", "tag-hijack" ], "sources_count": 2, "indicators": { "slug": "actions-cool-github-actions-tag-hijack", "since": "2026-05-18T19:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github actions github repositories and action tags", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "actions-cool/issues-helper", "actions-cool/maintain-one-comment" ], "versions": [ "actions-cool/issues-helper@v1", "actions-cool/issues-helper@v1.0.0", "actions-cool/issues-helper@v1.1.0", "actions-cool/issues-helper@v1.10.0", "actions-cool/issues-helper@v1.11.0", "actions-cool/issues-helper@v1.12.0", "actions-cool/issues-helper@v1.13.0", "actions-cool/issues-helper@v1.14.0", "actions-cool/issues-helper@v1.15.0", "actions-cool/issues-helper@v1.16.0", "actions-cool/issues-helper@v1.17.0", "actions-cool/issues-helper@v1.18.0", "actions-cool/issues-helper@v1.19.0", "actions-cool/issues-helper@v1.2.0", "actions-cool/issues-helper@v1.20.0", "actions-cool/issues-helper@v1.21.0", "actions-cool/issues-helper@v1.22.0", "actions-cool/issues-helper@v1.23.0", "actions-cool/issues-helper@v1.24.0", "actions-cool/issues-helper@v1.25.0", "actions-cool/issues-helper@v1.26.0", "actions-cool/issues-helper@v1.27.0", "actions-cool/issues-helper@v1.28.0", "actions-cool/issues-helper@v1.29.0", "actions-cool/issues-helper@v1.3.0", "actions-cool/issues-helper@v1.30.0", "actions-cool/issues-helper@v1.31.0", "actions-cool/issues-helper@v1.32.0", "actions-cool/issues-helper@v1.33.0", "actions-cool/issues-helper@v1.34.0", "actions-cool/issues-helper@v1.35.0", "actions-cool/issues-helper@v1.36.0", "actions-cool/issues-helper@v1.37.0", "actions-cool/issues-helper@v1.4.0", "actions-cool/issues-helper@v1.5.0", "actions-cool/issues-helper@v1.6.0", "actions-cool/issues-helper@v1.7.0", "actions-cool/issues-helper@v1.8.0", "actions-cool/issues-helper@v1.9.0", "actions-cool/issues-helper@v2", "actions-cool/issues-helper@v2.0.0", "actions-cool/issues-helper@v2.1.0", "actions-cool/issues-helper@v2.2.0", "actions-cool/issues-helper@v2.3.0", "actions-cool/issues-helper@v2.4.0", "actions-cool/issues-helper@v2.5.0", "actions-cool/issues-helper@v3", "actions-cool/issues-helper@v3.0.0", "actions-cool/issues-helper@v3.1.0", "actions-cool/issues-helper@v3.2.0", "actions-cool/issues-helper@v3.2.1", "actions-cool/maintain-one-comment@v1", "actions-cool/maintain-one-comment@v1.0.0", "actions-cool/maintain-one-comment@v1.1.0", "actions-cool/maintain-one-comment@v1.2.0", "actions-cool/maintain-one-comment@v1.3.0", "actions-cool/maintain-one-comment@v2", "actions-cool/maintain-one-comment@v2.0.0", "actions-cool/maintain-one-comment@v2.1.0", "actions-cool/maintain-one-comment@v2.2.0", "actions-cool/maintain-one-comment@v2.3.0", "actions-cool/maintain-one-comment@v3", "actions-cool/maintain-one-comment@v3.0.0", "actions-cool/maintain-one-comment@v3.1.0", "actions-cool/maintain-one-comment@v3.2.0", "actions-cool/maintain-one-comment@v3.3.0", "actions-cool/issues-helper affected tags", "actions-cool/maintain-one-comment affected tags" ], "affectedVersions": [], "fixedVersions": [], "files": [ ".github/workflows/*.yml" ], "paths": [], "services": [], "domains": [ "t.m-kosche.com" ], "urls": [], "ips": [], "hashes": [ "8064d4e0322f069b3dba13e7957ff0ca7dab7984", "6e79ae622b7ef30f31fdbcc2dc65339e" ], "processPatterns": [ "python3 reading /proc//mem", "bun executing unexpected action code" ], "networkPatterns": [ "POST or HTTPS traffic from GitHub Actions runner to t.m-kosche.com" ], "telemetrySelectors": [] } }