Actions-cool/issues-helper hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The actions-cool/issues-helper GitHub Actions supply-chain compromise let malicious tags run in CI/CD pipelines, causing credential theft and downstream account risk. A second action, actions-cool/maintain-one-comment, also had 15 tags compromised with the same functionality. GitHub later disabled access to the repository, while workflows pinned to a known-good full commit SHA were unaffected.
Related Happenings
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
GitHub data exposed after GitHub breach
Data Leak
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub internal repositories private-code leak claim
Data Leak
First: 20.05.2026 08:08
Last: 20.05.2026 08:08
Sources 1
About this happening:
GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
GitHub internal repositories private-code leak claim
Data LeakAbout this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
Latest development: 21.05.2026 17:45
A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.
Timeline
-
19.05.2026 08:28 2 articles · 8d ago
actions-cool/issues-helper tag compromise exposes CI/CD credential theft
Initial DisclosureStepSecurity identified a software supply chain compromise of the GitHub Actions repository actions-cool/issues-helper in which every existing tag was redirected to an imposter commit outside the normal history, causing workflows that reference the action by version to run malicious code that harvests credentials from CI/CD pipelines and exfiltrates them to t.m-kosche[.]com. The malicious commit also downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process, and a second GitHub action, actions-cool/maintain-one-comment, had 15 tags compromised with the same functionality. GitHub later disabled access to the repository after a violation of GitHub's terms of service, and workflows pinned to a known-good full commit SHA remained unaffected.
Show sources
- GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials — thehackernews.com — 19.05.2026 08:28
- GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials — thehackernews.com — 19.05.2026 08:28