The GitHub Action actions-cool/issues-helper has been compromised in a supply chain attack. An attacker moved all repository tags to point to a malicious imposter commit not present in the normal commit history. When executed, the malicious code downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process to harvest decrypted secrets, and exfiltrates them to an attacker-controlled domain. Any workflow referencing the action by version tag is affected; only those pinned to a known-good full commit SHA are safe. StepSecurity has responded by blocking the action via its Compromised Actions Policy, adding the exfiltration domain to Harden-Runner's global block list, and deploying imposter commit detection to flag affected workflows.
Sort: