GitHub Actions workflow compromised to steal CI/CD credentials
Attackers rewrote repository tags in actions-cool/issues-helper to redirect users to malicious commits harvesting secrets from automated pipelines.
A supply chain attack has compromised actions-cool/issues-helper, a widely used GitHub Actions workflow. Threat actors manipulated every existing tag in the repository to point to malicious commits that do not appear in the action's normal commit history.
The attack targets continuous integration and deployment pipelines. When developers reference the workflow by tag—a common practice for version pinning—they unknowingly execute attacker-controlled code. That code harvests sensitive credentials from the CI/CD environment and exfiltrates them to a remote server. The technique exploits the trust model of GitHub Actions, where workflows often run with elevated permissions and access to secrets.
The compromise affects any organization using the workflow in automated builds. Because tags were redirected rather than new commits added to the main branch, the attack evades casual inspection. Users checking recent commit activity would see nothing unusual, while their pipelines silently run malicious code.
- 01Organizations using actions-cool/issues-helper face credential exposure and potential pipeline compromise
- 02Development teams must audit workflow dependencies and consider commit-hash pinning over tags
- 03GitHub may need to implement tag mutation alerts or immutable reference options
- 04Supply chain attacks increasingly target CI/CD infrastructure rather than application code
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.