actions-cool GitHub Actions Tag Hijack Credential Theft

Suspected
Discovered May 18, 2026

StepSecurity reported that all tags for actions-cool/issues-helper, and the related actions-cool/maintain-one-comment action, were moved to imposter commits that downloaded Bun, scraped Runner.Worker memory, and exfiltrated secrets to t.m-kosche.com.

2
Affected Packages
12
Observables
2
Sources

Analysis

Executive Summary

StepSecurity reported that all tags for actions-cool/issues-helper, and the related actions-cool/maintain-one-comment action, were moved to imposter commits that downloaded Bun, scraped Runner.Worker memory, and exfiltrated secrets to t.m-kosche.com.

This folder ports older Astro-era supply-chain coverage into the canonical hp-posts-info authoring shape so the Next.js/Postgres importer can serve it. The current status is needs_review: the source-backed indicators are captured, but the pass intentionally does not claim fresh artifact diffing beyond the cited primary research.

Key Facts

  • Affected assets: actions-cool/issues-helper, actions-cool/maintain-one-comment.
  • Execution trigger: workflow resolves a mutable GitHub Action tag moved to an imposter commit.
  • Credential risk: GitHub, OIDC, cloud, package-registry, and developer credentials reachable from impacted CI or developer environments.
  • Relationship: migrated from the older Astro blog supply-chain roundup into a standalone Next.js/Postgres-ready incident folder.

Defender Handling

Run the included scope scanner over repository exports, package caches, CI logs, and endpoint telemetry. Treat matches in live dependency manifests, lockfiles, workflow definitions, or runner process/network logs as exposure signals until the owning team confirms whether the malicious artifact actually executed.

Open Questions

This migration captures coverage and source-backed selectors. Before marking publish-ready, perform fresh artifact diffing, validate current package/action cleanup status, and reconcile exact downstream victim counts from direct maintainer or platform sources.

Sources

  1. StepSecurity primary research. Role: PRIMARY_RESEARCH Impact: Primary source for affected assets, execution trigger, payload behavior, and published IOCs.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 18, 2026First seenFirst seen recorded for actions-cool GitHub Actions Tag Hijack Credential Theft.StepSecurity
May 18, 2026DiscoveryDiscovery recorded for actions-cool GitHub Actions Tag Hijack Credential Theft.StepSecurity
May 18, 2026DisclosureDisclosure recorded for actions-cool GitHub Actions Tag Hijack Credential Theft.StepSecurity
May 18, 2026actions-cool GitHub Actions Tag Hijack Credential TheftUnknownStepSecurity

Affected Software

2 of 2 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
actions-cool/issues-helperunknownmutable-tagsMalicious65%StepSecurity; haltingproblems.com
actions-cool/maintain-one-commentunknownmutable-tagsMalicious65%StepSecurity; haltingproblems.com

IOC Clipboard

12 IOCs
domaint.m-kosche.com
urlhttps://app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/26056902433
file_pathaction.yml
file_pathdist/index.js
file_path/home/runner/.bun/bin/bun
hash1c9e803c80cc7fed000022d4c94f4b5bc2e90062
commandRunner.Worker
command/proc/<Runner.Worker PID>/mem
commandsudo python3
commandisSecret
network_patternHTTPS to t.m-kosche.com
commandgh auth token

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes this scope contain package, workflow, process, filesystem, or network indicators associated with actions-cool GitHub Actions Tag Hijack Credential Theft?scripts/local_repository_and_exported_telemetry_scope.pyStepSecurity

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does this scope contain package, workflow, process, filesystem, or network indicators associated with actions-cool GitHub Actions Tag Hijack Credential Theft?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.pyPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = Path(sys.argv[1]).resolve() if len(sys.argv) > 1 else Path('.').resolve()
OUT = Path(os.environ.get('OUT', 'hp-actions-cool-github-actions-tag-hijack-scope'))
OUT.mkdir(parents=True, exist_ok=True)

PACKAGES = ["actions-cool/issues-helper", "actions-cool/maintain-one-comment"]
PACKAGE_VERSIONS = ["actions-cool/issues-helper@mutable-tags", "actions-cool/maintain-one-comment@mutable-tags"]
FILES = ["action.yml", "dist/index.js", "/home/runner/.bun/bin/bun"]
HASHES = ["1c9e803c80cc7fed000022d4c94f4b5bc2e90062"]
DOMAINS = ["t.m-kosche.com"]
URLS = ["https://app.stepsecurity.io/github/actions-security-demo/compromised-packages/actions/runs/26056902433"]
IPS = []
PROCESS_PATTERNS = ["Runner.Worker", "/proc/<Runner.Worker PID>/mem", "gh auth token", "sudo python3", "isSecret"]
NETWORK_PATTERNS = ["HTTPS to t.m-kosche.com"]

def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except Exception as exc:
        return f"__READ_ERROR__:{path}:{exc}"

def scan_tree(base: Path, indicators: set[str]) -> list[str]:
    matches = []
    skip = {".git", "node_modules", "vendor", "dist", ".venv", "__pycache__"}
    for current_root, dirs, files in os.walk(base):
        dirs[:] = [d for d in dirs if d not in skip]
        for name in files:
            path = Path(current_root) / name
            text = read_text(path)
            for indicator in indicators:
                if indicator and indicator in text:
                    matches.append(f"{path}: found {indicator!r}")
    return matches

indicators = set()
for group in [PACKAGES, PACKAGE_VERSIONS, FILES, HASHES, DOMAINS, URLS, IPS, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    indicators.update(group)

(OUT / "indicators.txt").write_text("\n".join(sorted(indicators)) + "\n", encoding="utf-8")
matches = scan_tree(ROOT, indicators)
(OUT / "matches.txt").write_text("\n".join(matches) + ("\n" if matches else ""), encoding="utf-8")
print(f"[+] wrote {len(indicators)} selectors and {len(matches)} matches under {OUT}")

Provenance & Sources

2 of 2 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
StepSecuritySecurity Researcher95%1StepSecurity reported that all tags for actions-cool/issues-helper, and the related actions-cool/maintain-one-comment action, were moved to imposter commits that downloaded Bun, scraped Runner.Worker memory, and exfiltrated secrets to t.m-kosche.com.
haltingproblems.comBlog80%1StepSecurity reported that all tags for actions-cool/issues-helper, and the related actions-cool/maintain-one-comment action, were moved to imposter commits that downloaded Bun, scraped Runner.Worker memory, and exfiltrated secrets to t.m-kosche.com.