Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

A supply‑chain compromise of the GitHub Actions workflows actions-cool/issues-helper and actions-cool/maintain-one-comment used 'imposter commits' in an adversary-controlled fork to inject malicious code that downloads the Bun runtime, reads memory from the Runner.Worker process to harvest CI/CD credentials, and exfiltrates them to t.m-kosche.com; the exfiltration domain ties this activity to the Mini Shai-Hulud campaign targeting @antv npm packages, and GitHub has disabled access to the repository (workflows pinned to full commit SHAs remain unaffected).