Find notable cyber news and cases, enriched with sources, timelines, and signals.

Actions-cool/issues-helper hit by network compromise

Incident
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The actions-cool/issues-helper GitHub Actions supply-chain compromise let malicious tags run in CI/CD pipelines, causing credential theft and downstream account risk. A second action, actions-cool/maintain-one-comment, also had 15 tags compromised with the same functionality. GitHub later disabled access to the repository, while workflows pinned to a known-good full commit SHA were unaffected.

Related Happenings

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Anthropic Claude Code GitHub Action bypass fix (v1.0.94)

Security Patch Release
H score43 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

Timeline

  1. 19.05.2026 08:28 2 articles · 1mo ago

    actions-cool/issues-helper tag compromise exposes CI/CD credential theft

    Initial Disclosure

    StepSecurity identified a software supply chain compromise of the GitHub Actions repository actions-cool/issues-helper in which every existing tag was redirected to an imposter commit outside the normal history, causing workflows that reference the action by version to run malicious code that harvests credentials from CI/CD pipelines and exfiltrates them to t.m-kosche[.]com. The malicious commit also downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process, and a second GitHub action, actions-cool/maintain-one-comment, had 15 tags compromised with the same functionality. GitHub later disabled access to the repository after a violation of GitHub's terms of service, and workflows pinned to a known-good full commit SHA remained unaffected.

    Show sources