Feed
CriticalPublished 19 May 2026Updated 20 May 20262 packages · 0 versions

actions-cool/issues-helper + maintain-one-comment — every tag retargeted to TeamPCP imposter commit

Summary

On 2026-05-19 an attacker with push access to the actions-cool GitHub org force-moved every tag in actions-cool/issues-helper (53 tags, including the floating v1 / v2) and actions-cool/maintain-one-comment (15 tags) to a single imposter commit. Any workflow pinned to a tag — not a full commit SHA — pulled the imposter dist/index.js, which dumps Runner.Worker memory to exfiltrate GitHub Actions secrets. Shares C2 (t.m-kosche.com) with the same-day @antv and durabletask waves; attributed to TeamPCP.

ci-cd-compromisemaintainer-takeovercredential-theftwormobfuscation
Threat actor
TeamPCP
Detected by
StepSecurity
Also known as
Mini Shai-Hulud
Ecosystems
GitHub Actions
Packages tracked
2

What happened

On 2026-05-19 an attacker with push access to the actions-cool GitHub organisation moved every git tag in actions-cool/issues-helper (all 53 tags, including the widely-pinned v1 and v2 floating majors) and every tag in actions-cool/maintain-one-comment (all 15 tags) to a single imposter commit 1c9e803 (truncated SHA). GitHub flagged the commit with its "this commit does not belong to any branch" warning, indicating it was force-pushed via the API and never merged into a branch.

The attack class is tag hijack. Because GitHub Actions resolves a tag to whatever commit it currently points at, every consumer workflow referencing actions-cool/issues-helper@v1, @v2, @vN.N.N, or @main pulls the malicious code on its next run. Only workflows pinned to a known-clean full commit SHA are unaffected. Tag-based pinning, including semver ranges, is fully bypassed.

The imposter commit's dist/index.js downloads the Bun JavaScript runtime, dumps memory from the Runner.Worker process (which holds the decrypted GitHub Actions secret context), parses env-var-shaped credentials out of that memory, and POSTs them over HTTPS to t.m-kosche[.]com on 443 — the same C2 used by the 2026-05-19 Microsoft durabletask PyPI compromise and the same-day @antv npm burst. StepSecurity, GBHackers, The Hacker News, Cybersecurity News, SC Media, and DailySecurityReview confirmed the attack as part of the broader TeamPCP / Mini Shai-Hulud cluster.

  • Initial access is distinct from the package compromises: this hop did NOT rely on a registry token but on a hijacked GitHub maintainer account, plausibly seeded from credentials harvested earlier the same day by the @antv worm.
  • Stolen secrets.*, env.*, and OIDC tokens enable downstream registry publishes, cloud deploys, and writes back into the calling repo for the duration of the workflow run.
  • Bun is downloaded fresh on the runner, so --ignore-scripts and npm hardening do NOT mitigate.
  • actions-cool/issues-helper is consumed by an estimated >40K public workflows; actions-cool/maintain-one-comment by ~12K.

At disclosure the affected repos were still serving the malicious tags; GitHub later force-removed the offending commit from the public reflog. The structural lesson: tag references are mutable, and any organisation that consumes third-party Actions by tag is one maintainer-account compromise away from CI/CD credential exfiltration. Org-wide SHA-pinning enforcement is the only durable mitigation.

Affected packages (2)

  • GitHub Actionsactions-cool/issues-helper
  • GitHub Actionsactions-cool/maintain-one-comment

Impact

  • Full GitHub Actions secret context exfiltration: any secrets.*, env.*, and OIDC tokens reachable from Runner.Worker memory at the moment the action runs
  • Includes downstream npm/PyPI/Docker publish tokens, AWS/GCP/Azure deployment credentials, GHCR / private-registry creds, SSH deploy keys, Slack/Discord bot tokens
  • Cross-repo escalation: stolen GITHUB_TOKEN permits writes back into the calling repo for the duration of the workflow run, enabling further worm propagation
  • Tag-based pinning (@v1, @v2, semver ranges) is fully bypassed — only full-SHA pins resist this attack class
  • Bun is downloaded fresh on the runner, so --ignore-scripts / npm hardening does NOT mitigate

What to do

  1. 1Immediately remove actions-cool/issues-helper and actions-cool/maintain-one-comment from every workflow OR pin to a verified-clean full commit SHA (e.g. for issues-helper the v3.6.1 commit predating 2026-05-19; verify in your fork before trusting any single SHA — the actions-cool maintainers had not posted a recommended clean SHA as of disclosure)
  2. 2Treat any workflow run that consumed either action on or after 2026-05-19 as a credential-compromise event. Rotate every secret reachable from that workflow: npm/PyPI/Docker tokens, cloud keys, GHCR PATs, Slack webhooks, deploy SSH keys
  3. 3Block egress to t.m-kosche.com and any *.m-kosche.com subdomain on all CI/CD network paths; alert on outbound HTTPS to that host from Runner.Worker/bun processes
  4. 4Audit actions-cool/* org membership and 2FA enforcement; assume any token with push access to those repos was used and revoke
  5. 5Adopt SHA-pinning org-wide: enforce StepSecurity / dependabot.yml rules that reject tag references for third-party actions. Tags are mutable and this attack class will recur
  6. 6Hunt internal forks/mirrors: any organisation that has mirrored either repo and re-pushed tags may also be serving the imposter SHA

References

github-actions-2026-05-19-actions-cool-tag-hijack