HIGHSupply Chain
Verified
Global

GitHub Actions Supply Chain Attack Injects Malware Into CI/CD Pipelines

·Source: GitHub Security Advisory

Updated:

Executive Summary

Compromised GitHub Action used by 23,000+ repositories injects credential-stealing code into CI/CD pipelines. Broad exposure across enterprise repositories.

Analysis

A popular GitHub Action with 23,000+ repository users was compromised after the maintainer account was hijacked. The malicious version exfiltrates CI/CD secrets including cloud credentials, NPM tokens, and Docker registry passwords during pipeline execution. GitHub has revoked the compromised versions and is notifying affected organizations. The incident highlights ongoing risks in CI/CD supply chain security.

Timeline

Discovered
Mar 2, 2026
Published
Mar 2, 2026
Source Attribution

Originally published by GitHub Security Advisory on Mar 2, 2026. Verified by: GitHub, CISA.

Related Threats

LOWSupply Chain

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

The Hacker News
LOWSupply Chain

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

The Hacker News
MEDIUMSupply Chain

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly

The Hacker News