> TritonInfoSec News
Home / May 20, 2026 / Story
0
#10 The Hacker News general May 19, 2026 at 05:28 UTC

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

By [email protected] (The Hacker News)

AI Summary

Threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper, redirecting all existing repository tags to point to malicious imposter commits that harvest CI/CD credentials and exfiltrate them to an attacker-controlled server. The attack is notable because the malicious commits do not appear in the action's normal commit history, making detection difficult for teams relying on tag integrity. Organizations using this action in their pipelines should immediately audit workflow logs, rotate any exposed secrets, and pin actions to specific commit SHAs rather than tags.

Read full article → https://thehackernews.com/2026/05/github-actions-s…

Relevance score: 76.0/100

# More from May 20

  1. 1
    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories The Hacker News
  2. 2
    Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector SecurityWeek
  3. 3
    Cybercrime service disrupted for abusing Microsoft platform to sign malware BleepingComputer
  4. 4
    In stunning display of stupid, secret CISA credentials found in public GitHub repo Ars Technica Security
  5. 5
    New Shai-Hulud malware wave compromises 600 npm packages BleepingComputer
  6. 6
    Max-severity flaw in ChromaDB for AI apps allows server hijacking BleepingComputer
  7. 7
    Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare The Hacker News
  8. 8
    DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability The Hacker News
  9. 9
    The New Phishing Click: How OAuth Consent Bypasses MFA The Hacker News