actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link

StepSecurity disclosed on 2026-05-18 that all 53 existing version tags of the popular actions-cool/issues-helper GitHub Action were moved to point to an imposter commit (1c9e803) not present in the action's normal branch history, with 15 tags on the companion actions-cool/maintain-one-comment action manipulated in the same operation. The malicious payload downloads the Bun JavaScript runtime to the runner, then spawns a Python process that reads the /proc/<PID>/mem address space of the Runner.Worker process — the GitHub Actions component that holds decrypted workflow secrets during job execution. Captured bytes are filtered via tr + grep for values marked isSecret: true and exfiltrated over HTTPS to t.m-kosche[.]com. Socket confirmed the exfiltration domain overlaps with the Mini Shai-Hulud npm / PyPI campaign cluster (The Hacker News, 2026-05-19). All 53 imposter commits were created within a 3-minute 16-second window; GitHub has since disabled the repository.

Any workflow that referenced actions-cool/issues-helper@v* or a mutable tag during the 2026-05-18 attack window should be treated as a compromised CI/CD pipeline — rotate GitHub PATs, npm tokens, AWS credentials, SSH keys, and any other secret exposed via ${{ secrets.* }} to that workflow. Maps to T1195.002 (Compromise Software Supply Chain) and T1552.001 (Credentials in Files).

Why it matters to us: EU and Swiss developer organisations using GitHub Actions for public-sector software supply chains were directly in scope during the attack window. The mitigation is enforcement of commit-SHA pinning for every third-party Action reference (uses: actions-cool/issues-helper@<full-sha> rather than @v2 or @main) and runtime enforcement of allow-listed outbound network destinations from runners (StepSecurity Harden-Runner, GitHub-native egress filtering).

A Nightwing government contractor used a public GitHub repository named "Private-CISA" as a personal sync mechanism between work and home machines, exposing highly-privileged credentials for CISA / DHS infrastructure from approximately 2025-11-13 to 2026-05-15 — about six months (Krebs on Security, 2026-05-18; Gizmodo, 2026-05-19). GitGuardian researcher Guillaume Valadon surfaced the repository on 2026-05-15. Exposed material included administrative credentials for three Amazon AWS GovCloud accounts, plaintext usernames and passwords (AWS-Workspace-Firefox-Passwords.csv) for dozens of internal CISA systems, SSH keys and cloud tokens, and credentials to CISA's internal Artifactory code-package repository ("LZ-DSO" — Landing Zone DevSecOps). The contractor had deliberately disabled GitHub's default push-protection secret scanning. Independent researcher Philippe Caturegli (Seralys) validated AWS keys against live GovCloud accounts at high privilege and confirmed the keys remained valid for at least 48 hours after the repository was taken down. CISA acknowledged a ~one-third workforce reduction from buyouts and resignations under the Trump administration may have weakened oversight of contractor behaviour.

Why it matters to us: Caturegli identified the Artifactory access as the highest-impact exposure — write access to a national cybersecurity agency's build-package repo would enable backdoor insertion into anything CISA built or deployed (T1195.002 Supply Chain Compromise: Compromise Software Supply Chain). The transferable lesson for EU/CH national CERT operators is independent of US politics: contractors and integrators with write access to NCSC / BSI / ANSSI build pipelines must be subject to organisation-level GitHub push-protection that administrators cannot disable, mandatory short-lived OIDC role assumption (no long-lived AWS keys), Artifactory access-log SIEM integration with off-hours bulk-download anomaly detection, and quarterly secret-scanning sweeps of contractor personal repos under contract. T1552.001 (Credentials In Files) / T1552.004 (Private Keys).

On 2026-05-16, Grafana Labs disclosed that CoinbaseCartel — a data-extortion group active since September 2025, focusing exclusively on theft without encryption — exploited a pull_request_target GitHub Actions workflow misconfiguration ("Pwn Request") to exfiltrate a privileged GitHub token and clone the private codebase. The attack vector: fork a public repository, inject curl into the pull_request_target workflow to dump environment variables to an encrypted file, delete the fork to erase evidence. Grafana detected the exfiltration via a triggered canary token embedded in the private code (not from automated secrets-scanning). Ransom was demanded and rejected. Grafana confirmed no customer data, production systems, or running infrastructure was accessed — the exposure was private source code. The canary-token detection is an instructive model; the pull_request_target vulnerability class is the same pattern documented in tj-actions/changed-files (SLSA gap).

Hunt for this in your own GitHub organisation: audit logs for pull_request_target workflow runs where head_repository.owner differs from the base repository owner.

CVE-2026-45793 is a token disclosure in PHP Composer (the PHP package manager) patched and disclosed by the Packagist team on 2026-05-13 (Packagist blog, 2026-05-13). When Composer encounters certain error conditions during package resolution in a GitHub Actions CI/CD workflow, it emits the configured GitHub authentication token — GITHUB_TOKEN or a personal access token — into its error output and debug log stream. Any CI/CD pipeline that captures and stores build logs (SaaS CI/CD platforms, self-hosted log aggregation, artifact stores, or public build logs on open-source repositories) may inadvertently persist these tokens. A GITHUB_TOKEN scoped to the repository's default permissions allows write access to repository code, workflow files, and packages; an attacker who gains access to build logs via SSRF, a compromised CI SaaS integration, or inadvertent public log exposure can extract and abuse the token before it expires. The broader risk context: this bug class (credential leakage via error path logging) echoes the credential-leakage pattern seen in supply-chain attacks such as Mini Shai-Hulud; Composer-based repositories using GitHub Actions are now an independently confirmed leakage path for CI tokens. No in-the-wild exploitation reported. Fixed: Composer 2.9.8, 2.2.28, and 1.10.28. Action: upgrade Composer in all CI/CD environments immediately; rotate any GitHub tokens that may have appeared in prior Composer error output; audit build log retention policies.

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.