GitHub Actions Attack Steals Credentials

A popular GitHub Actions workflow was compromised to steal sensitive credentials from CI/CD pipelines through a sophisticated supply chain attack.

A popular GitHub Actions workflow, `actions-cool/issues-helper`, has been compromised in a sophisticated software supply chain attack. The attackers manipulated the project's repository by redirecting all existing version tags to point to a malicious commit. This imposter commit, which does not appear in the action's legitimate history, contains code designed to steal sensitive credentials from the CI/CD environment where the action is executed. The stolen information is then sent to a remote server under the attackers' control.

This incident highlights a significant risk for any organization using automated workflows. By targeting a popular third-party action, attackers exploit the trust developers place in the open-source ecosystem. Since the tags were moved, even teams that pinned the action to a specific version tag would have inadvertently pulled the malicious code. This could lead to the exposure of critical secrets such as API keys and access tokens, potentially giving attackers broad access to internal systems. The attack underscores the vulnerability of CI/CD pipelines, which are increasingly targeted due to the high-value credentials they manage.