actions-cool/issues-helper + maintain-one-comment — every tag retargeted to TeamPCP imposter commit
On 2026-05-19 an attacker with push access to the actions-cool GitHub org force-moved every tag in actions-cool/issues-helper (53 tags, including the floating v1 / v2) and actions-cool/maintain-one-comment (15 tags) to a single imposter commit. Any workflow pinned to a tag — not a full commit SHA — pulled the imposter dist/index.js, which dumps Runner.Worker memory to exfiltrate GitHub Actions secrets. Shares C2 (t.m-kosche.com) with the same-day @antv and durabletask waves; attributed to TeamPCP.
- Threat actor
- TeamPCP
- Detected by
- StepSecurity
- Also known as
- Mini Shai-Hulud
- Ecosystems
- GitHub Actions
- Packages tracked
- 2
What happened
On 2026-05-19 an attacker with push access to the actions-cool GitHub organisation moved every git tag in actions-cool/issues-helper (all 53 tags, including the widely-pinned v1 and v2 floating majors) and every tag in actions-cool/maintain-one-comment (all 15 tags) to a single imposter commit 1c9e803 (truncated SHA). GitHub flagged the commit with its "this commit does not belong to any branch" warning, indicating it was force-pushed via the API and never merged into a branch.
The attack class is tag hijack. Because GitHub Actions resolves a tag to whatever commit it currently points at, every consumer workflow referencing actions-cool/issues-helper@v1, @v2, @vN.N.N, or @main pulls the malicious code on its next run. Only workflows pinned to a known-clean full commit SHA are unaffected. Tag-based pinning, including semver ranges, is fully bypassed.
The imposter commit's dist/index.js downloads the Bun JavaScript runtime, dumps memory from the Runner.Worker process (which holds the decrypted GitHub Actions secret context), parses env-var-shaped credentials out of that memory, and POSTs them over HTTPS to t.m-kosche[.]com on 443 — the same C2 used by the 2026-05-19 Microsoft durabletask PyPI compromise and the same-day @antv npm burst. StepSecurity, GBHackers, The Hacker News, Cybersecurity News, SC Media, and DailySecurityReview confirmed the attack as part of the broader TeamPCP / Mini Shai-Hulud cluster.
- Initial access is distinct from the package compromises: this hop did NOT rely on a registry token but on a hijacked GitHub maintainer account, plausibly seeded from credentials harvested earlier the same day by the
@antvworm. - Stolen
secrets.*,env.*, and OIDC tokens enable downstream registry publishes, cloud deploys, and writes back into the calling repo for the duration of the workflow run. Bunis downloaded fresh on the runner, so--ignore-scriptsand npm hardening do NOT mitigate.actions-cool/issues-helperis consumed by an estimated >40K public workflows;actions-cool/maintain-one-commentby ~12K.
At disclosure the affected repos were still serving the malicious tags; GitHub later force-removed the offending commit from the public reflog. The structural lesson: tag references are mutable, and any organisation that consumes third-party Actions by tag is one maintainer-account compromise away from CI/CD credential exfiltration. Org-wide SHA-pinning enforcement is the only durable mitigation.
Affected packages (2)
- GitHub Actions
actions-cool/issues-helper - GitHub Actions
actions-cool/maintain-one-comment
Impact
- Full GitHub Actions secret context exfiltration: any
secrets.*,env.*, and OIDC tokens reachable fromRunner.Workermemory at the moment the action runs - Includes downstream npm/PyPI/Docker publish tokens, AWS/GCP/Azure deployment credentials, GHCR / private-registry creds, SSH deploy keys, Slack/Discord bot tokens
- Cross-repo escalation: stolen
GITHUB_TOKENpermits writes back into the calling repo for the duration of the workflow run, enabling further worm propagation - Tag-based pinning (
@v1,@v2, semver ranges) is fully bypassed — only full-SHA pins resist this attack class Bunis downloaded fresh on the runner, so--ignore-scripts/ npm hardening does NOT mitigate
What to do
- 1Immediately remove
actions-cool/issues-helperandactions-cool/maintain-one-commentfrom every workflow OR pin to a verified-clean full commit SHA (e.g. for issues-helper the v3.6.1 commit predating 2026-05-19; verify in your fork before trusting any single SHA — the actions-cool maintainers had not posted a recommended clean SHA as of disclosure) - 2Treat any workflow run that consumed either action on or after 2026-05-19 as a credential-compromise event. Rotate every secret reachable from that workflow: npm/PyPI/Docker tokens, cloud keys, GHCR PATs, Slack webhooks, deploy SSH keys
- 3Block egress to
t.m-kosche.comand any*.m-kosche.comsubdomain on all CI/CD network paths; alert on outbound HTTPS to that host fromRunner.Worker/bunprocesses - 4Audit
actions-cool/*org membership and 2FA enforcement; assume any token with push access to those repos was used and revoke - 5Adopt SHA-pinning org-wide: enforce StepSecurity /
dependabot.ymlrules that reject tag references for third-party actions. Tags are mutable and this attack class will recur - 6Hunt internal forks/mirrors: any organisation that has mirrored either repo and re-pushed tags may also be serving the imposter SHA